
An open-source fully homomorphic encryption library - cirwin
https://github.com/shaih/HElib
======
drostie
"Fully homomorphic" means "a computation can be done on two encrypted values
without decrypting them." It is an extension of _partially homomorphic_
systems, which allow some computation which cannot be extended to arbitrary
computations.

A good usage case for partially homomorphic systems is public elections.
Suppose given E(x) and E(y) you can efficiently compute E(x + y). Now imagine
that you arrange a set of bit-fields as:

    
    
        1000 1100  0111 0111    0100 1110     0010 1001
        (random)  (check bits) (votes Alice)  (votes Bob)
    

In other words, the current vote tally is being represented as a number
E(0x8C774E29). You can now create two ballots, E(0xBF010100) and
E(0xBF010001). You can add either of those ballots to the vote tally even
though you cannot read the vote tally. We can make all of these numbers public
knowledge without disclosing your vote -- i.e. a public database can say
"Alice's vote was E(0xBF010100)" and "Bob's vote was E(0xDB010001)" and once
that encryption is performed, third parties cannot actually verify that Alice
didn't vote for Bob or vice versa. So any member of the population can take
the public database and confirm that the arithmetic was done properly on the
encrypted vote tallies, without figuring out what the actual votes were. Then
at the highest level, the tally can be decrypted to find out that Alice won
the vote, without disclosing exactly who voted for her. The "check bits" form
here a sum of votes as a quick check that someone didn't just add some random
ballot in there to screw with the system.

Of course, you need more bits as you want to have more candidates and more
voters; and there are problems with confirming that a number looks like
0x010100 and not 0x050500. But fundamentally you can get these really cool
cryptographic voting systems which preserve the anonymity of your vote at the
lowest level, but can be audited at the lowest level (i.e. we can potentially
remove votes, say, from people who were not alive at the time of the
election), the votes have perfectly auditable mathematics up to the regional
level due to the public databases of encrypted votes; and then once the
population is large enough to suitably anonymize the vote, you can decrypt and
tally votes publicly too.

Now that's if you just have some function esum such that esum(E(x), E(y)) =
E(x + y).

If you have enough to make a full set of logical gates, you could in principle
do an entire computation on a set of inputs which you couldn't possibly know,
so that the "cloud" could "compute" with your data without ever actually
knowing it.

~~~
Someone
I never understand how one could call anything that is fully homomorphic
encryption.

Let's say I have access to E(N), the encryption of some secret integer N, and
want to know N.

Because of the " _fully_ homomorphic" part, given E(x) and E(y) I can compute
E(x+y), E(x-y), E(x/y), etc.

So from E(N), assuming N != 0, I can compute E(N/N) = E(1). Using addition, I
can compute E(2), E(3), from there.

From there, I can compute E(N mod 2), E(N mod 3), etc. Comparing them with
E(1), E(2), etc, I can recover (N mod 2), (N mod 3), etc.

Once I have those for numbers whose LCM is known to be greater than N, I can
use the Chinese remainder theorem to recover N. I think this is fairly
efficient in terms of number of computations. If not, other methods exist. For
example, one could compute E(1 << b) and from there E(N & (1 << b)) for
successive values of b, thus recovering successive bits of N.

What do I overlook here?

~~~
kedean
Well, ideally you wouldn't be using tiny numbers. If you're using huge
numbers, then what you're describing is the equivalent of a rainbow table
technique. It's going to take an extraordinary amount of time, computations,
and comparisons to be able to figure out what a value was originally, and once
you do you've only done it for that one key, whose value you still don't know.

Besides, the big foreseen uses of HE is in applications where the confidential
data is going to be changing constantly, so once you've finally figured out
what one value was, it'll be worthless to have it because computation has
continued.

~~~
Someone
_"If you're using huge numbers, then what you're describing is the equivalent
of a rainbow table technique"_

Please reread what I wrote; it is not. Let's do the second variant: to
determine whether N is odd or even, compute:

    
    
      e1 = E(N/N) (equals E(1)) ; 1, encrypted
      b1 = E(N & 1)             ; equals e1 iff N is odd
                                ; (least significant bit of N)
      e2 = E(1+1)               ; 2, encrypted
      b2 = E(N & 2)             ; equals e2 iff second bit is set
      e4 = E(2+2)               ; 4, encrypted
      e4 = E(N & 4)             ; equals e4 iff third bit is set
      e8 = E(4+4)               ; 8, encrypted
      Etc.
    

Each line is one homomorphic operation. You need ceil(2 log(N)) lines to
recover N.

~~~
drostie
This is a great question! I freely confess that I'm not totally sure about the
fully homomorphic systems, but you are making the assumption that you can test
for equality "outside" the cryptosystem, and for at least one partially
homomorphic case I know of, that's not true (viz. ElGamal).

So you're thinking of a private key cryptosystem, where the ciphertext and the
plaintext have the same _length_ and E(.) is bijective, but in the case of
ElGamal and public-key encryption in general, E(.) is not actually a function
in the mathematical sense and instead encrypts one-to-many. (In fact if memory
serves, _n_ plaintext bits become _2n_ ciphertext bits in ElGamal.)

If that's the case in general then you could indeed compute E(1) :=
e_div(E(N), E(N)) and e_and(E(N), E(1)), but you could not say that E(N & 1)
=== E(1) if N is odd, because even though N & 1 = 1 and we've got a nice
property of mathematical functions which says that if a = b then f(a) = f(b),
this isn't a mathematical function and the one-to-many nature foils precisely
this sort of naive comparison.

~~~
Someone
Thanks for the reply. I indeed was thinking of just comparing the encrypted
bits.

That requires that encrypting X always produces the same bits. Reading on
ElGamal on Wikipedia learnt me that it does not guarantee that; it also
doubles messages in size, as you thought. That will thwart this attack for any
reasonable size of the encoded messages.

One could do the comparison inside the crypto system, but that would not help
either, as one cannot check the outcome of such a comparison.

------
StavrosK
This is not terribly on-topic, but, if you're interested in cryptography, Dan
Boneh (Craig Gentry's advisor) is currently giving a Coursera course on it:

<https://class.coursera.org/crypto-006/class>

I'd highly recommend it, it's amazingly interesting, and Boneh is very good at
explaining things. I used to think that cryptography was hopelessly
impenetrable, but it turns out most algorithms (well, mostly symmetric
cryptography) are simple to understand. We're currently at asymmetric crypto
and the math's starting.

~~~
gbaygon
Be aware that you will need 1 hour/day for the videos, and a couple of
hours/week to read additional material and exercises.

I joined the course but couldn't keep the pace.

That being said you can still access the material without doing the exams to
do the course at your own rhythm.

~~~
StavrosK
Hmm, each week of lessons took me roughly 3 hours a week for the whole course.
Doing them at your own pace is also very good, though, as you're pretty much
getting the same benefit, but not as much motivation.

~~~
gbaygon
Yes you are right, i should clarify that this is my personal experience, with
zero previous knowledge on cryptography, and pausing the video continuously to
investigate the topics and do some calculations.

~~~
StavrosK
I didn't have any prior knowledge either, I guess this is due to each person's
method of studying. I generally don't go in very much depth.

------
symmetricsaurus
The README has lots of really cool words and names and things. But it doesn't
say what homomorphic encryption is or what it is good for. Could someone
enlighten me?

~~~
jychang
TL;DR: It allows you to edit encrypted stuff without decrypting it.

For example, if you had a book of everyone's salaries, you can ask Bob to add
$5000 to it. Normally you'd have to give him the key, but with homomorphic
encryption you can just perform operations without decrypting it and having
Bob know everyone's salaries.

This becomes really powerful for stuff that you need to work with lots of data
without knowing the contents of - cloud computing, for example.

~~~
opminion
Think Google without the privacy issues.

------
nraynaud
I skimmed some docs, and I can't find the list of operation that can be done
with that. Is it numerical stuff like addition/multiplication? Is it text
editing?

~~~
betterunix
Any algorithm.

------
jychang
It's basically this,
[http://eurocrypt2010rump.cr.yp.to/9854ad3cab48983f7c2c5a2258...](http://eurocrypt2010rump.cr.yp.to/9854ad3cab48983f7c2c5a2258e27717.pdf)
, I think. I wonder what the performance numbers are.

~~~
tbmbob
This is not quite true: the mathematical problems upon which they base their
security, though related, have some important differences. Most significantly,
the problem upon which this new implementation is based (Ring-Learning with
errors) is theoretically much more time and space efficient than the problem
upon which your linked implementation is based (approximate GCD).

------
Zarathust
While I greatly applaud the effort of implementing such a complex crypto
scheme, I'm afraid I will have to wait years before using something like this.
Who wants to be the early adopter of a cryptographic library?

------
JacobiX
Holomorphic encryption is a very interesting concept especially in a cloud
setting. One could perform some operations on encrypted client data. But I
don't know if it's mature enough.

~~~
ajb
I doubt it. A quick look at the papers referenced shows a huge cost factor.

~~~
eru
Yes, in general. Special cases can be fast enough.

------
doe88
For those trying to compile it, you'll need to install the last version
(6.0.0) of NTL (the Ubuntu package from 13.04 does not provide this version).

------
tocomment
could you use something like this to make an anonymous bitcoin protocol?

~~~
tlrobinson
Check out Zerocoin, though I don't think it uses homomorphic encryption
<https://en.bitcoin.it/wiki/Zerocoin>

------
escaped_hn
I thought homomorphic encryption wasn't secure or complete due to the fiaso
that happened on SE earlier this month?

~~~
walrus
The SE thing was someone _claiming_ a company was doing homomorphic encryption
when they really weren't.

(Here's a link for others:
[http://crypto.stackexchange.com/questions/3645/how-is-
cipher...](http://crypto.stackexchange.com/questions/3645/how-is-ciphercloud-
doing-homomorphic-encryption))

------
topbanana
OK, I read this as homeopathic. I need some sleep

------
kvakvs
GPL? That doesn't encourage too many uses of this code. Especially for
commercial purposes.

~~~
pja
Feel free to write your own version and release it under a more permissive
license then.

~~~
krichman
While it seems ridiculous to complain about which FOSS license is being used,
it's a legitimate observation since there are certain app stores that disallow
GPL'd code entirely.

It'd be nice if the author was willing to change the license but it's not
something one can reasonably demand.

~~~
new299
It would also be nice (actually nicer) if those app stores would allow GPL
code.

~~~
lucian1900
It's often the other way around, the GPL disallows distributing the software
under the very restrictive terms of those app stores.

~~~
new299
Sure, but it would be entirely possible for Appstores to make their terms less
restrictive, I don't blame people for using licenses like the GPL which are
designed to push people in that direction.

~~~
lucian1900
I don't think it's very likely app stores will change their terms in the
direction of complying with the GPL.

I don't blame people using the GPL either (except possibly people that use it
for libraries), nor people that publish apps on the various stores, I was just
clarifying a point.

