Introduction to Homomorphic Encryption
15 likes13,776 views
The document discusses homomorphic encryption, which allows computations on encrypted data without needing to decrypt it first. It explores various applications, such as secure medical record analysis and spam filtering, and contrasts different homomorphic encryption schemes, highlighting their strengths and weaknesses. Practical examples are provided, including the RSA encryption method's homomorphic property and circuit encryption techniques.
![July 2013:
Change in "De-Mail-Gesetz" defining De-Mail as
secure [1]
● Needs to be decrypted by
provider to "check for viruses"
● (Secret) key on server of provider
○ Server becomes juicy target
● Homomorphic encryption
○ Can check without decryption
[1] http://www.spiegel.de/netzwelt/netzpolitik/de-mail-bundestag-erklaert-bundes-mail-per-gesetz-als-sicher-a-895361.html
Current context
5](https://image.slidesharecdn.com/introductiontohomomorphicencryption-130918131259-phpapp01/85/Introduction-to-Homomorphic-Encryption-5-320.jpg)
![Encrypted Memory Access
●
row3
= ao
∧ a1
∧ m3
row2
= ¬ao
∧ a1
∧ m2
row1
= ao
∧ ¬a1
∧ m1
row0
= ¬ao
∧ ¬a1
∧ m0
c = row0
∨row1
∨row2
∨row3
[1] M Brenner, J Wiebelitz, G von Voigt. Secret program execution in the cloud applying homomorphic encryption. 201143](https://image.slidesharecdn.com/introductiontohomomorphicencryption-130918131259-phpapp01/85/Introduction-to-Homomorphic-Encryption-43-320.jpg)
![Gentry's approachGentry's approach
@ł€¶ħæſðđŋæſþðøđł«»¢„
0101100101000101111
@ł€¶ħæſðđŋæſþðøđł«»¢„
³½¬³½¬[¬¼]²′³}³¬½¼¬³²³]
qebrgibfvjkadfnvarskdjhfq
þø»«ĸ@ł½{µ„þøþ@↓ðħþ
plaintext
ciphertext
refreshed ciphertext
ciphertext
secret key
encryption of secret key
59 catechism, flickr (CC BY-NC-SA 2.0)](https://image.slidesharecdn.com/introductiontohomomorphicencryption-130918131259-phpapp01/85/Introduction-to-Homomorphic-Encryption-59-320.jpg)
![[...] a simple string search using
homomorphic encryption is about a trillion
times slower than without encryption. [1]
Issues
1 000 000 000 000x
61 [1] CryptDB: A practical encrypted relational DBMS, RA Popa, N Zeldovich, H Balakrishnan, 2011](https://image.slidesharecdn.com/introductiontohomomorphicencryption-130918131259-phpapp01/85/Introduction-to-Homomorphic-Encryption-61-320.jpg)
![Fully hom. enc. IRL
● HELib by Shai Halevi (2013)
○ Implementation of Brakerski-Gentry-Vaikuntanathan[1]
scheme
○ Using many optimizations in literature[2][3] for speed
○ Does not implement bootstrapping (yet)
[1] Zvika Brakerski, Craig Gentry, Vinod Vaikuntanathan: (Leveled) fully homomorphic encryption without bootstrapping. ITCS 201
[2] Nigel P. Smart, Frederik Vercauteren: Fully Homomorphic SIMD Operations. IACR Cryptology ePrint Archive 2011: 133 (2011)
[3] Craig Gentry and Shai Halevi and Nigel P. Smart Homomorphic Evaluation of the AES Circuit, CRYPTO 2012
Performance
Modulus Time for addition (ms) Time for multiplication
(ms)
257 0.7 39
8209 0.7 38
65537 2.9 177
Even numbers < 65537,
80 Bits of security
63](https://image.slidesharecdn.com/introductiontohomomorphicencryption-130918131259-phpapp01/85/Introduction-to-Homomorphic-Encryption-63-320.jpg)
![Visions of a fully homomorphic cryptosystem
have been dancing in cryptographers' heads for
thirty years. [...] It will be years before a
sufficient number of cryptographers examine
the algorithm that we can have any confidence
that the scheme is secure. [1]
—Bruce Schneier, cryptographer, April 2013
Criticism
“ “
64
[1] Homomorphic Encryption Breakthrough, Schneier on Security, Bruce Schneier https://www.schneier.
com/blog/archives/2009/07/homomorphic_enc.html](https://image.slidesharecdn.com/introductiontohomomorphicencryption-130918131259-phpapp01/85/Introduction-to-Homomorphic-Encryption-64-320.jpg)
![Conclusion
— Halevi, 2012
“ “
67
[1] Recent Advances in Homomorphic Encryption, presentation by Shai Halevi, IBM Research, Feb. 13, 2012, http://n
csail.mit.edu/sys-security/FHE.pptx](https://image.slidesharecdn.com/introductiontohomomorphicencryption-130918131259-phpapp01/85/Introduction-to-Homomorphic-Encryption-67-320.jpg)
Introduction to Homomorphic Encryption
- 1. Introduction to Homomorphic Encryption Hubert Hesse Christoph Matthies Robert Lehmann 1 @hubx @chrisma0 @rlehmann 2013
- 4. operation(plain) == decrypt(operation'(encrypt(plain))) i.e. outputs of operations on encrypted data are still usable What is that? 4
- 5. July 2013: Change in "De-Mail-Gesetz" defining De-Mail as secure [1] ● Needs to be decrypted by provider to "check for viruses" ● (Secret) key on server of provider ○ Server becomes juicy target ● Homomorphic encryption ○ Can check without decryption [1] http://www.spiegel.de/netzwelt/netzpolitik/de-mail-bundestag-erklaert-bundes-mail-per-gesetz-als-sicher-a-895361.html Current context 5
- 6. ● Medical records ○ Analyze disease / treatment without disclosing them ○ Search for DNA markers without revealing DNA ○ "Digitale Krankenakte" ● Spam filtering ○ Blacklisting encrypted mails ○ Third parties can scan your PGP traffic Use cases Doing something without knowing what6
- 7. Homomorphism groups (P, ⊕) and (C, ⊗) relation f : P → C f is a group homomorphism in P and C, if: ∀ a,b ∈ P: f(a ⊕ b) = f(a) ⊗ f(b) Especially: ∀ a,b ∈ P: a ⊕ b = f-1 ( f(a) ⊗ f(b) ) 7
- 8. be aware, mapping from one operation to another Examples groups (R, +) and (R* , ×) function: R → R exp(x+y) = exp(x) × exp(y) 10x+y = 10x × 10y ln(a×b) = ln(a) + ln(b) 8
- 9. In RSA, multiplication is (accidentally) a homomorphism Practical example 9
- 10. Imagine width = 7 height = 3 10
- 11. what's the area? Imagine width = 7 height = 3 11
- 12. area solver™ Enter the cloud width = 7 height = 3 12
- 13. Enter the cloud width = 7 height = 3 privacy privacy area solver™ 13
- 14. Enter the cloud width = 7 height = 3 privacy privacy area solver™ RSA to the rescue 14
- 15. private key (47, 143) public key (23, 143) public key (23, 143) private key (47, 143) Select p=11,q=13 p*q=143=N φ(N)=φ(143)=(p-1)*(q-1)=120 select e w/ gcd(e,120)=1, e=23 Calculate e*d ≡ 1 mod φ(N): e*d+k*φ(N)=1=gcd(e,φ(N)) =23*d+k*120=1=gcd(23,120) d=47, k=-9 15 the justified sinner, flickr (CC BY-NC-SA 2.0)
- 16. wait, RSA? Encryption in RSA ≡ Homomorphic property 16
- 17. width = 7 height = 3 private public encrypt private key := (47, 143) public key := (23, 143) 17
- 18. width = 7 height = 3 encrypt private public cw ≡ widthe mod N cw ≡ 723 mod 143 cw = 2 ch ≡ heighte mod N ch ≡ 323 mod 143 ch = 126 private key := (47, 143) public key := (23, 143) 18
- 19. width = 7 height = 3 encrypt width = 2 height = 126 private public private key := (47, 143) public key := (23, 143) 19
- 20. width = 7 height = 3 private public width = 2 height = 126 area solver private key := (47, 143) public key := (23, 143) 20
- 21. width = 7 height = 3 private public width = 2 height = 126 area = 252 area solver private key := (47, 143) public key := (23, 143) 21
- 22. width = 7 height = 3 private public width = 2 height = 126 area = 252 private key := (47, 143) public key := (23, 143) 22
- 23. width = 7 height = 3 private public width = 2 height = 126 area = 252 area = decrypt(252) = 21 private key := (47, 143) public key := (23, 143) decrypt area = 21 area ≡ cipherd mod N ≡ 25247 mod 143 = 21 23
- 24. width = 7 height = 3 private public width = 2 height = 126 area = 252 area = decrypt(252) = 21 = 7 x 3 private key := (47, 143) public key := (23, 143) decrypt area = 21 (sanity check) 24
- 25. ● RSA allows only multiplication ○ Other operations on ciphertext (e.g. +) break decryption ● Other schemes allow different operations (e.g. + and -) ● Algebra homomorphisms allows x and + ○ Much more powerful Different homomorphisms circumference calculation correct: 3*2 + 7*2 = 20 encrypted: 2*2 + 2*126 = 256 decryption: 25647 mod 143 = 42 42 ≠ 20 ⚡ f: A→B alg. hom. ⇔ ∀k∈K; x,y∈A: • f(k*x)=k*f(x) • f(x+y)=f(x)+f(y) • f(x*y)=f(x)*f(y) 25
- 26. ● RSA allows only multiplication ○ Other operations on ciphertext (e.g. +) break decryption ● Other schemes allow different operations (e.g. + and -) ● Algebra homomorphisms allows x and + ○ Much more powerful Different homomorphisms circumference calculation correct: 3*2 + 7*2 = 20 encrypted: 2*2 + 2*126 = 256 decryption: 25647 mod 143 = 42 42 ≠ 20 ⚡ f: A→B alg. hom. ⇔ ∀k∈K; x,y∈A: • f(k*x)=k*f(x) • f(x+y)=f(x)+f(y) • f(x*y)=f(x)*f(y) Need to select appropriate homomorphic encryption scheme for application 26
- 27. System Plaintext operation Cipher operation RSA × × Paillier +, − m×k, m+k ×, ÷ ck , c×gk ElGamal × m×k, mk × c×k, ck Goldwasser-Micali ⊕ × Benaloh +, − ×, ÷ Naccache-Stern +, − m×k ×, ÷ ck Sander-Young-Yung × + Okamoto-Uchiyama +, − m×k, m+k ×, ÷ ck , c+e(k) Boneh-Goh-Nissim Paillier (+, −, m×k, m+k) × (once) Paillier bilinear pairing US 7'995'750 / ROT13 + + 27
- 28. ● Operations on ciphertext accumulate "noise" ○ Addition adds noise, multiplication multiplies it ○ Noise gets too high → decryption fails ● These "limited" algebra homomorphism schemes: Somewhat Homomorphic Encryption Schemes (simplified)Pollution 28 Bob August, flickr (CC BY-NC-SA 2.0)
- 29. ● Using small N in RSA and large inputs ○ When output larger than RSA-modulus, decryption fails Pollution Calculate area of square using RSA 10*15=150 Encryption: c_w ≡ 1023 mod 143 ≡ 43 c_h = 1523 mod 143 = 20 c_a = 43*20 = 860 Decryption: a ≡ 86047 mod 143 (≡ 150 mod 143) ≡ 7 7 ≠ 150 ⚡ Example 15 10 29
- 30. Beyond + and × Every program can be expressed in terms of a digital circuit. * * referentially transparent, ie. w/o side effects, today() is not ref. transparent 30 Tristan Nitot, flickr (CC BY-NC-SA 2.0)
- 31. Beyond + and × Every digital circuit can be expressed in terms of AND, OR, and NOT. 31
- 32. Beyond + and × Every digital circuit can be expressed in terms of AND, OR, and NOT. (remember Disjunctive Normal Forms?) 32
- 33. Beyond + and × Every digital circuit can be expressed in terms of AND, OR, and XOR. XOR(x, 1) = NOT(x) NOT(AND(NOT(x), NOT(y))) = !(!x & !y) = OR(x, y) 33
- 34. With ∧ and ⊕ we can represent any operation Fully homomorphic encryptionFully homomorphic encryption 34 Duane Romanell, flickr (CC BY-NC-ND 2.0)Duane Romanell, flickr (CC BY-NC-ND 2.0)
- 35. Circuit Encryption ● Assume homomorphic enc: ○ 0-bits → even ints ○ 1-bits → odd ints ○ ⊕ → + ○ ∧ → × ○ Define: ∘ = (a + b) + ( a x b) (Logical OR) ⊕ { OR = (a ∧ b) ∧ (a ⊕ b) } (+ random r * secret p mod p!) { simple truth tables } 35
- 36. Circuit Encryption ● Single Bit Adder ○ A,B: inputs, Cin : carry-in, S: sum, Cout : carry-out Toy example S = ((A ⊕ B) ⊕ C) Cout = (A ∧ B) v ((A ⊕ B) ∧ Cin )36
- 37. S = ((A ⊕ B) ⊕ C) Cout = (A ∧ B) v ((A ⊕ B) ∧ Cin ) S = ((A + B) + C) Cout = (A × B) ∘ ((A+B) × Cin ) Circuit Encryption Toy example map operators 37
- 38. A B Cin S Cout 1 0 1 0 1 3 4 7 ? ?encrypted Circuit Encryption Toy example - calc. S S = ((A + B) + C) S = ((3 + 4) + 7) = ? apply 38
- 39. A B Cin S Cout 1 0 1 0 1 3 4 7 14 ?encrypted Circuit Encryption Toy example - calc. S S = ((A + B) + C) S = ((3 + 4) + 7) = 14 ≙ 0 39
- 40. A B Cin S Cout 1 0 1 0 1 3 4 7 14 649 Circuit Encryption Toy example - calc. Cout Cout = (A × B) ∘ ((A + B) × Cin ) Cout = (3 × 4) ∘ ((3 + 4) × 7) = 12 ∘ 49 = (12 + 49) + (12 * 49) = 61 + 588 = 649 ≙ 1 ∘ = (a + b) + (a x b) apply 40
- 41. Circuit Encryption ● Assume homomorphic enc: ○ 0-bits → even ints ○ 1-bits → odd ints ○ ⊕ → + ○ ∧ → × ○ Define: ∘ = (a + b) + ( a x b) (Logical OR) ⊕ { OR = (a ∧ b) ∧ (a ⊕ b) } (actually mod a secret p) { simple truth tables } 41
- 42. Circuit Enc. ● Encrypted Memory Access ● Example ¬ao ∧ ¬a1 ∧ m0 ao ∧ ¬a1 ∧ m1 ¬ao ∧ a1 ∧ m2 ao ∧ a1 ∧ m3 m0 m1 m2 m3 a0 a1 1 x x x 0 0 x 1 x x 1 0 x x 1 x 0 1 x x x 1 1 1 42
- 43. Encrypted Memory Access ● row3 = ao ∧ a1 ∧ m3 row2 = ¬ao ∧ a1 ∧ m2 row1 = ao ∧ ¬a1 ∧ m1 row0 = ¬ao ∧ ¬a1 ∧ m0 c = row0 ∨row1 ∨row2 ∨row3 [1] M Brenner, J Wiebelitz, G von Voigt. Secret program execution in the cloud applying homomorphic encryption. 201143
- 44. ● row3 = ao ∧ a1 ∧ m3 row2 = ¬ao ∧ a1 ∧ m2 row1 = ao ∧ ¬a1 ∧ m1 row0 = ¬ao ∧ ¬a1 ∧ m0 c = row0 ∨row1 ∨row2 ∨row3 m = {1, 0, 1, 0} a = 01 Encrypted Memory Access 44
- 45. ● row3 = ao ∧ a1 ∧ m3 row2 = ¬ao ∧ a1 ∧ m2 row1 = ao ∧ ¬a1 ∧ m1 row0 = ¬ao ∧ ¬a1 ∧ m0 c = row0 ∨row1 ∨row2 ∨row3 m = {1, 0, 1, 0} a = 01 Encrypted Memory Access 45
- 46. ● row3 = ao ∧ a1 ∧ 0 row2 = ¬ao ∧ a1 ∧ 1 row1 = ao ∧ ¬a1 ∧ 0 row0 = ¬ao ∧ ¬a1 ∧ 1 c = row0 ∨row1 ∨row2 ∨row3 m = {1, 0, 1, 0} a = 01 Encrypted Memory Access 46
- 47. ● row3 = ao ∧ a1 ∧ 0 row2 = ¬ao ∧ a1 ∧ 1 row1 = ao ∧ ¬a1 ∧ 0 row0 = ¬ao ∧ ¬a1 ∧ 1 c = row0 ∨row1 ∨row2 ∨row3 m = {1, 0, 1, 0} a = 01 Encrypted Memory Access 47
- 48. ● row3 = 0 ∧ 1 ∧ 0 row2 = 1 ∧ 1 ∧ 1 row1 = 0 ∧ 0 ∧ 0 row0 = 1 ∧ 0 ∧ 1 c = row0 ∨row1 ∨row2 ∨row3 m = {1, 0, 1, 0} a = 01 Encrypted Memory Access 48
- 49. ● row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 c = row0 ∨row1 ∨row2 ∨row3 m = {1, 0, 1, 0} a = 01 Encrypted Memory Access 49
- 50. ● row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 c = 0∨0∨1∨0 = 1 m = {1, 0, 1, 0} Encrypted Memory Access a = 01 50
- 51. ● c = row0 ∘row1 ∘row2 ∘row3 row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 row3 = (ao × a1 × 6) row2 = (ao + 1) × a1 × 9 row1 = (ao × (a1 + 1) × 4 row0 = (ao + 1) × (a1 + 1) × 5 ¬a0 ¬a1 → → → → c = 0∨0∨1∨0 = 1 m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01 Encrypted Memory Access 0-bits → even ints 1-bits → odd ints ⊕ → + ∧ → × 51
- 52. ● c = row0 ∘row1 ∘row2 ∘row3 row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 row3 = (ao × a1 × 6) row2 = (ao + 1) × a1 × 9 row1 = (ao × (a1 + 1) × 4 row0 = (ao + 1) × (a1 + 1) × 5 ¬a0 ¬a1 → → → → c = 0∨0∨1∨0 = 1 m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01 Encrypted Memory Access 52
- 53. ● c = row0 ∘row1 ∘row2 ∘row3 row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 row3 = (8 × 3 × 6) row2 = (8 + 1) × 3 × 9 row1 = (8 × (3 + 1) × 4 row0 = (8 + 1) × (3 + 1) × 5 ¬a0 ¬a1 → → → → c = 0∨0∨1∨0 = 1 m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01 Encrypted Memory Access 53
- 54. ● c = row0 ∘row1 ∘row2 ∘row3 row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 row3 = (8 × 3 × 6) = 144 row2 = (8 + 1) × 3 × 9 = 243 row1 = (8 × (3 + 1) × 4 = 128 row0 = (8 + 1) × (3 + 1) × 5 = 180 ¬a0 ¬a1 → → → → c = 0∨0∨1∨0 = 1 m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01 Encrypted Memory Access 54
- 55. ● c = 180∘128∘243∘144 = 826087619 ≙ 1 row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 row3 = (8 × 3 × 6) = 144 row2 = (8 + 1) × 3 × 9 = 243 row1 = (8 × (3 + 1) × 4 = 128 row0 = (8 + 1) × (3 + 1) × 5 = 180 ¬a0 ¬a1 → → → → c = 0∨0∨1∨0 = 1 m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01 Encrypted Memory Access 55
- 56. Fully homomorphic encryption ● "Holy Grail" of cryptography ● First proposed within a year of RSA development ○ 1979 ○ Idea due to weird homomorphic property of RSA ● for more than 30 years: unclear whether FHE even possible ○ During that time: best one = Boneh-Goh-Nissim (remember the area solver example) (the one where only one multiplication was possible) 56
- 57. "fully homomorphic encryption" Google trends 1000 patents 200 patents 57
- 58. Gentry's approach ● 2009: Craig Gentry shows fully homomorphic encryption in his doctoral thesis ● Employs somewhat homomorphic encryption scheme using ideal lattices ● Scheme is bootstrappable ○ can evaluate its own decryption circuit ● Through recursive self-embedding, leads to FHE ○ ciphertexts are reencrypted, eliminating noise (based on "shortest lattice vector" problem used in cryptography, which is NP-hard) 58
- 59. Gentry's approachGentry's approach @ł€¶ħæſðđŋæſþðøđł«»¢„ 0101100101000101111 @ł€¶ħæſðđŋæſþðøđł«»¢„ ³½¬³½¬[¬¼]²′³}³¬½¼¬³²³] qebrgibfvjkadfnvarskdjhfq þø»«ĸ@ł½{µ„þøþ@↓ðħþ plaintext ciphertext refreshed ciphertext ciphertext secret key encryption of secret key 59 catechism, flickr (CC BY-NC-SA 2.0)
- 61. [...] a simple string search using homomorphic encryption is about a trillion times slower than without encryption. [1] Issues 1 000 000 000 000x 61 [1] CryptDB: A practical encrypted relational DBMS, RA Popa, N Zeldovich, H Balakrishnan, 2011
- 62. 62
- 63. Fully hom. enc. IRL ● HELib by Shai Halevi (2013) ○ Implementation of Brakerski-Gentry-Vaikuntanathan[1] scheme ○ Using many optimizations in literature[2][3] for speed ○ Does not implement bootstrapping (yet) [1] Zvika Brakerski, Craig Gentry, Vinod Vaikuntanathan: (Leveled) fully homomorphic encryption without bootstrapping. ITCS 201 [2] Nigel P. Smart, Frederik Vercauteren: Fully Homomorphic SIMD Operations. IACR Cryptology ePrint Archive 2011: 133 (2011) [3] Craig Gentry and Shai Halevi and Nigel P. Smart Homomorphic Evaluation of the AES Circuit, CRYPTO 2012 Performance Modulus Time for addition (ms) Time for multiplication (ms) 257 0.7 39 8209 0.7 38 65537 2.9 177 Even numbers < 65537, 80 Bits of security 63
- 64. Visions of a fully homomorphic cryptosystem have been dancing in cryptographers' heads for thirty years. [...] It will be years before a sufficient number of cryptographers examine the algorithm that we can have any confidence that the scheme is secure. [1] —Bruce Schneier, cryptographer, April 2013 Criticism “ “ 64 [1] Homomorphic Encryption Breakthrough, Schneier on Security, Bruce Schneier https://www.schneier. com/blog/archives/2009/07/homomorphic_enc.html
- 67. Conclusion — Halevi, 2012 “ “ 67 [1] Recent Advances in Homomorphic Encryption, presentation by Shai Halevi, IBM Research, Feb. 13, 2012, http://n csail.mit.edu/sys-security/FHE.pptx