An Intro to Fully Homomorphic Encryption for Engineers

in full homomorphic encoding is a fabled engineering ( at least in the cryptanalysis community ) that allows for arbitrary calculation over encrypted data. With privacy as a major stress across technical school, in full homomorphic encoding ( FHE ) fits perfectly into this fresh narrative. FHE is relevant to populace distributed ledgers ( such as blockchain ) and machine memorize. The first base FHE dodge was successfully constructed in 2009 by Craig Gentry. Since then, there have been numerous proposed FHE schemes and no dearth of relate exploit in the space. however, there ‘s little explanation as to why all this workplace is being done or the motivation for any of it. When I inaugural started learning about FHE, I had many questions : Why are there sol many schemes ? Does FHE have an actual use case ? If FHE is american samoa potent as describe, why has n’t it taken off yet ? We ‘ll start by providing an introduction to how FHE works and some areas in which it might be utilitarian. The meat of the article is in the 2nd section where we consider why FHE has yet to have received widespread attention and some potential solutions to these issues. The TL;DR of it is that there is a complete lack of usability when working with FHE libraries currently. All of the inner workings and complexities of the FHE scheme—of which there are many—are exposed to the engineer. ultimately, we ‘ll point to some libraries in the space if you ‘re interest in getting your hands dirty.

What is fully homomorphic encryption (FHE)?

in full homomorphic encoding is a type of encoding system that allows you to perform arbitrary* computations on encrypted data. * not wholly true but we ‘ll leave that out for now

A Refresher on Public Key Encryption Schemes

Let ‘s start with a brief review of encoding schemes. Plaintext is data in the clear ( i.e. unencrypted data ) whereas ciphertext is encrypted data. Algorithms in an Encryption Scheme
An encoding scheme includes the following 3 algorithms :

  • KeyGen(...security_parameters)keys: The Key Generation algorithm takes some security parameter(s) as its input. It then outputs the key(s) of the scheme.
  • Encrypt(plaintext, key, randomness)ciphertext: The Encryption algorithm takes a plaintext, a key, and some randomness (encryption must be probabilitistic to be “secure”) as inputs. It then outputs the corresponding ciphertext (i.e. encrypted data).
  • Decrypt(ciphertext, key)plaintext: The Decryption algorithm takes a ciphertext and a key as inputs. It outputs the corresponding plaintext.

In a private key encoding dodge, the lapp key is used to both encrypt and decode. That means anyone who can encrypt plaintext ( i.e. data in the pass ) can besides decrypt ciphertext ( i.e. encrypted datum ). These types of encoding schemes are besides referred to as “ symmetrical ” since the relationship between encryption/decryption is symmetrical .
however, in a public key encoding scheme, different keys are used to encrypt and decrypt. An person may be able to encrypt data but have no manner of decrypting the match ciphertext. These types of encoding schemes are besides referred to as “ asymmetrical ” since the relationship between encryption/decryption is asymmetrical. You may have listen of the ElGamal encoding schema before ( which is based on the Diffie-Hellman identify exchange ). These schemes are normally taught in an introductory cryptanalysis course and ( in most contemporary applications ) rely on a normally used type of cryptanalysis called elliptic curve cryptanalysis .

So what’s the “homomorphic” part mean?

We will turn our concentrate to homomorphic ( public key ) encoding schemes as they are the most useful. The “ homomorphic ” depart implies that there is a special kinship between performing computations in the plaintext space ( i.e. all valid plaintexts ) vs. ciphertext space ( i.e. all valid ciphertexts ). specifically, in a “ homomorphic encoding schema, ” the following relationships hold :

  • Homomorphic addition: Encrypt(a) + Encrypt(b) = Encrypt(a + b)
  • Homomorphic multiplication: Encrypt(a) * Encrypt(b) = Encrypt(a * b)

Allowing you to do something like :
Encrypt(3xy + x) = Encrypt(3xy) + Encrypt(x) = [3 * Encrypt(x) * Encrypt(y)] + Encrypt(x)
sol just by knowing Encrypt(x) and Encrypt(y), we can compute the encoding of more complicated polynomial expressions .

How does it work? What’s the intuition?

Let Encrypt(a) be referred to as a'. Let Encrypt(b) be referred to as b'. Recall that a' and b' are ciphertexts. Every time we perform a homomorphic operation, we add extra noise to the ciphertexts. At some point if the make noise gets excessively big, you wo n’t be able to successfully decrypt the ciphertext. You ‘re merely out of fortune. For homomorphic addition, the noise does n’t grow besides badly. You can think of the noise increase as Noise(a' + b') = Noise(a') + Noise(b'). however, the problem lies with performing homomorphic multiplication. In a homomorphic multiplication, the make noise growth behaves as Noise(a' * b') = Noise(a') * Noise(b'). Let ‘s use some numbers to make this more concrete. We ‘ll say that Noise(a') is 10. We ‘ll say that Noise(b') is 20. The FHE dodge has some noise ceiling after which point we can not decrypt the ciphertext even if we have the decoding key. For our case, let ‘s say the noise ceiling is 300. After performing a single homomorphic addition between the two ciphertexts, the noise will be 10 + 20 = 30. not bad ! however, if we perform a single homomorphic multiplication between a' and b', the resulting noise will be 10 * 20 = 200 for the ciphertext a' * b'. If we then tried to compute (a' * b') * (a'), the make noise would be excessively big for the FHE scheme ! frankincense, we would not be able to decrypt (a' * b') * (a') even if we had the decoding winder ( since Noise(a' * b') * Noise(a') = 200 * 10 = 2000 ). It ‘s your caper to correctly set all parameters of the scheme, perform “ noise control ” operations at the right fourth dimension ( we wo n’t go into what these operations are in this article since they can differ by scheme ), and try not to do excessively many homomorphic multiplications. Does that sound intimidating to you ? You ‘re in good company then. bill : There is a room to get around the situate noise ceiling— ” bootstrapping “ —which comes with its own plant of complexities and trade-offs .

What’s needed to build a fully homomorphic encryption scheme?

All FHE schemes use a specific type of post-quantum cryptography called lattice cryptography. The good newsworthiness is that FHE is resistant to attacks from a quantum calculator ( if we should be concerned about such a thing is an wholly different subject ). The bad news is you probable have no acquaintance with wicket cryptography flush if you ‘ve taken an introductory cryptography course before. Simply put, lattices sit inside the very vector space ( differently known as R^n ) and can be represented using vectors and matrices ( which you decidedly should have casualness with ! ). FHE schemes can be broken down into 3 types depending on how they model calculation ( see this presentation if matter to in more advance technical details ). The first type models computations as boolean circuits ( i.e. bits ). The second type models calculation as modular arithmetic ( i.e. “ clock ” arithmetical ). The third base and final type models computations as floating point arithmetic .

Computational Model Good for Schemes*
Boolean Number Comparison TFHE
Modular Arithmetic Integer Arithmetic, Scalar Multiplication BGV, BFV
Floating Point Arithmetic Polynomial Approximation, Machine Learning Models CKKS

The names of these schemes normally come from the last names of the authors who created it. For example, “ BGV ” comes from the authors Brakerski, Gentry, and Vaikuntanathan. * not an exhaustive list of schemes ! I ‘ve barely listed some well-known ones .

Why do we care about this?

Private Transactions on a Public Ledger (e.g. blockchain). A secret transaction dodge allows a exploiter to securely send digital currentness to some recipient role without revealing the come being sent to anyone ( apart from the intend recipient ) on a public distributed daybook. This is in contrast to cryptocurrencies like Bitcoin where transactions and balances are all public information .
We assume a in full homomorphic ( public key ) encoding outline. All encryptions are done with respect to the Receiver ‘s keys .

  1. Sender wants to send t tokens to the Receiver. Sender encrypts t under the Receiver’s public key.
  2. Sender publishes Encrypt(t) on the public ledger.
  3. Notice that Encrypt(t) + Encrypt(Receiver's balance) = Encrypt(Receiver's balance after performing the transaction).

This can be extended to more concern fiscal applications such as auctions, vote, and derivatives. An FHE system that models calculation as modular arithmetical may be the most suitable for this type of application .
notice : For this to work in practice, some other cryptanalytic tools are besides needed ( such as zero-knowledge proof ) .
Private Machine Learning. There ‘s been increase concern in the concluding few years around how we might be able to “ learn ” from data ( via car learning ) while still keeping the data itself individual. FHE is one instrument that can help us achieve this goal. In contrast to the previous application, we likely want an FHE outline that models computations as floating point arithmetic here .
One well-known make in this space is Crypto-Nets which combines ( as the name might suggest ) FHE and neural networks to allow for outsource machine learn. When people talk about “ outsource machine teach, ” the place setting normally being described is one in which a data owner wants to learn about his data but does not feel comfortable openly sharing his data with a company providing machine memorize models. therefore, the data owner encrypts his data using FHE and allows the car learning company to run their models on the encrypted data set .
Homomorphic encoding may not be the sole solution to this problem ; differential gear privacy is a closely relate topic that has garnered a fortune of attention in the by few years. Differential privacy is more statistics than cryptography as it does not directly involve encryption/decryption. It works by adding noise to data in the clear while still guaranteeing that meaningful insights can be drawn from the noisy data sets. Apple is one major company that purportedly uses differential privacy to learn about your behavior while maintaining some flat of privacy .

Why FHE Hasn’t Taken Off Yet: Challenges in the Space

so far this all sounds bang-up but I ‘ve been leaving out a total of problems .

Many Different Schemes (aka everyone is speaking a different language)

You ‘ve decided you want to use FHE—great ! hera ‘s some considerations that now need to be taken into account :

How do you want to model computation?

FHE schemes model calculation in one of three ways—as boolean circuits, modular arithmetic, or floating point arithmetic. Hopefully it ‘s obvious which model you need since there are n’t many resources beyond basic ones like this to help you out. This question is likely the least of your concerns though .

What if I have multiple options for FHE schemes that fall under the same computational model I need (e.g. choosing between BGV vs. BFV for modular arithmetic)?

Hmm, that ‘s unfortunate. There is n’t much work explaining the tradeoffs between different schemes with the same computational model. You ‘ll probably have to play around with the assorted schemes and implement your specific use case with both of them to determine which is best. There are some very involve research papers ( such as this ) that you can try wading through .

Do schemes based on different computational models otherwise behave the same?

Kind of but not in truth. Different schemes tend to use different techniques to control efficiency and noise growth that you ‘ll need to understand to successfully work with FHE. additionally, the schemes have unlike parameters you need to understand in order to set them by rights. The parameters affect not entirely the security system of the schema ( which is a given in cryptography ), but besides the sorts of plaintexts you can work with, the number of homomorphic computations you can do, and the overall performance of the schema .

Are the different schemes compatible at all?

Does this picture* assistant ? credibly not unless you know quite a sting of mathematics and cryptography. There is a kinship between some of the FHE schemes but to understand the relationship you besides need to understand how the assorted FHE schemes work in detail. Having a lot of choices is capital !

But it ‘s not bang-up when :

  • you don’t know the tradeoffs between the different FHE schemes or how the schemes relate to one another
  • you have to invest a lot of energy into understanding a single scheme
  • a lot of the knowledge gained from understanding one scheme is not really transferable to learning a new scheme (under a different computational model)

Potential Solutions: 1. Updated and improved benchmarking efforts A large offspring is the miss of up-to-date benchmarking efforts. It ‘s hard to recommend which FHE scheme to use for a particular manipulation lawsuit when we do n’t know how one implementation performs against another ( on the same machine, for a finical sic of comparable parameters ). FHE libraries change promptly, incorporating new optimizations, so benchmarking efforts from 1-2 years ago quickly lose relevance ( such as this from 2018 for versatile implementations of the BFV scheme ). 2. Better resources/guides to explain tradeoffs between schemes Without up-to-date benchmarking of different schemes and libraries, it ‘s impossible to provide good resources that explain the tradeoffs between the FHE schemes in practice. There have been some presentations ( such as this one ) that try to illuminate the differences between the 3 computational models in FHE. however, there are n’t any good resources to help if you ‘re trying to choose between different schemes using the like computational model. 3. ability to move between different FHE schemes ( i.e. interoperability ) If there were some interoperability between different FHE schemes, it would be easier to understand how the schemes relate to one another. An academic work on this subject is CHIMERA which provides a framework for switching between TFHE ( boolean ), BFV ( modular arithmetical ), and HEAAN ( floating sharpen arithmetical ). unfortunately, this work requires a very potent background in abstract algebra along with good acquaintance of all the FHE schemes used. More accessible resources explaining the relationship between the different types of schemes would be dainty ( by “ character ” we mean the 3 types of computational models—boolean, modular arithmetical, floating point arithmetical ). * Image is from CHIMERA ‘s paper

Efficiency (more complex of an issue than it seems)

If you talk to most people companion with FHE and ask them why FHE is n’t being used, they ‘ll frequently wave the exit off by saying something like “ oh, it ‘s not effective. ” personally, I find this explanation to be a bite faineant because it vastly simplifies the issue. Public key encoding is less efficient than secret cardinal encoding but that does n’t mean everyone entirely uses individual key encoding. There are absolutely reasonable cases where a less efficient technology should be used. personal bombast aside, we ‘re going to look at some considerations you have to take into report for efficiency with FHE. How many computations do you want to perform? Some FHE schemes allow you to perform a truly arbitrary act of computations on encrypted data. many schemes, however, only allow for a certain number of homomorphic operations to be performed. After that point, there ‘s no guarantee decoding will be successful. Say, for case, the FHE outline allows for only 100 consecutive homomorphic multiplications ( note : addition is generally “ easy ” in FHE schemes, whereas generation is much hard ). If we tried to do the 101th homomorphic multiplication, there ‘s no guarantee that the resulting ciphertext can be correctly decrypted. The schemes that allow for a in truth arbitrary number of homomorphic computations suffer from very poor performance. If you ‘re able to figure out a ceiling on the number of homomorphic multiplications you need to do, that will help to achieve much better performance. How big do you need your plaintext space to be? The larger the plaintext space, the slower it will be to perform operations. For FHE schemes that model calculation as modular arithmetical, choosing a modulus on the orderliness of 1000 vs. 1,000,000 makes a boastfully difference in terms of what plaintexts you can represent. This might be specially crucial if you ‘re representing account balances with your ciphertexts and motivation to ensure they do n’t “ wrap around ” the modulus. Are you going to perform the same operation on many different plaintexts or ciphertexts (i.e. “SIMD” style computations)? Some FHE schemes can take advantage of “ SIMD “ style operations to perform the same operation on multiple plaintexts or ciphertexts simultaneously. If this sort of parallelization is utilitarian for you, you should consider exploring schemes and libraries that offer this functionality. SIMD expressive style operations, if used correctly, can very improve efficiency. What key sizes are acceptable to you? With TFHE, for exercise, some keys you ‘ll need to access in the outline can be 1 GB bombastic ! The performance, in terms of timings, may be decent but you ‘re alternatively left with a giant cardinal you need to store. Are you okay with large ciphertexts? Ciphertext expansion can be quite bad when working with FHE. Looking again at TFHE, the plaintext-to-ciphertext expansion is 10,000:1 for an acceptable horizontal surface of security ( 100 bits ). What matters most for you in terms of performance? You ca n’t “ have it all ” in FHE so it ‘s important to determine what you need vs. want. possibly you actually need debauched comparison of numbers. possibly you in truth need to parallelize calculation. possibly you need a large plaintext space. All these little considerations need to be taken into report when choosing an FHE outline. Potential Solutions: 1. Hardware acceleration Some FHE schemes can be accelerated using GPUs ; examples of such libraries include nuFHE and cuFHE. other efforts to accelerate FHE schemes have included using FPGAs ( e.g. HEAX ). HEAX works with the CKKS dodge ( floating orient arithmetical ) and can yield performance speed-ups of anywhere from 12x to over 250x depending on the specific operation. unfortunately, the paper suggests that a FPGA-based approach is not american samoa successful for the BFV scheme ( integer arithmetic ). 2. Research breakthroughs improving FHE schemes Easier said than done .

Usability (there is none)

The previous discussion leads us to our final point—usability. FHE is not beginner-friendly, not user-friendly, and surely not non-cryptographer-friendly. There actually is n’t any serviceability for an mastermind lacking a mathematics or cryptography backdrop. Most FHE libraries require trench expertness of the fundamental cryptanalytic scheme to use both correctly and efficiently. Another cryptanalyst has described working with FHE as similar to writing assembly—there ‘s a huge difference in performance between good and bang-up implementations. Wading through libraries like HElib can be intimidating without a potent background in the underlie dodge .

Is the situation really that bad?

We ‘ll briefly touch on the issues that make FHE exceptionally user-unfriendly .

  • Parameter setup is non-trivial. For example, in BFV (which is simpler than the BGV scheme), we have to set up a polynomial modulus, a coefficient modulus, and a plaintext modulus. Setting these parameters requires understanding how they affect the scheme (e.g. what sort of operations you’re planning on doing, how many operations). Additionally, to understand what the parameters mean, you’ll have to learn some basic theory about rings (abstract algebra). We currently cannot abstract away these issues; it’s just necessary for working with FHE schemes.
  • Public key encryption has just 3 main algorithms (KeyGen,Encrypt, Decrypt), but it’s not so simple for FHE schemes which have additional operations (which also differ between schemes). Because you need to understand how and when to use certain operations, working with FHE requires developing intuition yourself.
  • To develop good intuition, you need to work with the scheme….but some libraries have very little documentation.
  • Understanding one type of scheme may not transfer very well to understanding a different type of scheme (by type here, I’m referring to the three different computational models).

So…am I ready to go use FHE now?

credibly not, but you ‘re decidedly ready to look at some libraries ! Potential Solutions: 1. standardization efforts By this, we mean standards to make it clean what parameters to use, what functionalities are offered, etc. calibration efforts are presently led by the open industry/government/academic consortium “ Homomorphic Encryption Standardization. ” They ‘ve already released draft proposals around security and API standards for homomorphic encoding. They tend to meet 1-2x a class if you ‘re interest in attending their meetings. 2. More user-friendly libraries and examples One model of this is Microsoft ‘s SEAL which has an incredibly instructive examples section. Hopefully more libraries will take the time to create user-friendly software documentation and examples. 3. electric potential compilers There have been discussions in the FHE community for a while now about creating a compiler or some average representation to make FHE easier to work with. Cingulata is one such attempt .

What’s the takeaway from all of this?

It’s not you, it’s FHE.

You know that platitude dissolution line “ it ‘s not you, it ‘s me ? ” Well, that ‘s peculiarly true here. high-level programming languages have abstracted away a lot of the complexity of how your calculator works. But there is no analogue of “ high-level programming languages ” when working with FHE. You ca n’t abstract away any of the complexities ( of which there are a fortune ). Although calibration is ongoing and there are efforts to make FHE more beginner-friendly, FHE just is n’t ready to be used by non-cryptographers at the here and now in a production-ready environment.

I ‘m very bullish about FHE ‘s future. right now, though, the concentrate needs to be on improving FHE ‘s efficiency ( a given ) and making libraries more available for others .

Show me the code!

If you do not have previous know with FHE, we recommend starting with a more user-friendly library such as SEAL. Some libraries ( such as SEAL and PALISADE ) offer multiple types of FHE schemes. To prevent confusion, we list the specific FHE scheme in parentheses after the library ‘s list .

Computational Model Available Libraries
Modular Arithmetic HElib, SEAL (BFV), Lattigo (BFV), PALISADE (BFV, BGV)
Floating Point Arithmetic SEAL (CKKS), Lattigo (CKKS), PALISADE (CKKS)

Leave a Reply

Your email address will not be published.