8

Homomorphic encryption is often touted for its ability to

  1. Compute on encrypted data with public functions
  2. Compute an encrypted function on public (or private) data

I feel I have a good grasp of #1 as most of the papers I've come across on homomorphic encryption (both partially and fully) seem to deal with this type of problem, but #2 I haven't been able to wrap my head around.

So, to whittle this down to the simplest case, given a fully homomorphic encryption scheme, let the public input be $a,b,c,d$ (each is a single bit for simplicity). How would I construct a function to compute $(a\vee b) \wedge (c\vee\neg d)$ such that whoever I give it to will not know what the actual function is (granted this is such a simple example they could easily create a brute-force lookup table)?

I'm not looking for an exact function, but how this would be done in general. How does it change if I make it that $a,b,c,d$ are private (to the function creator)? Is the process similar for partially homomorphic (where only the $\wedge$ or $\vee$ operations are possible)?

mikeazo
  • 39,117
  • 9
  • 118
  • 183

2 Answers2

6

Theoretically, with fully-homomorphic encryption (like with Gentry's scheme), you could make a circuit (with memory) which computes over encrypted data and outputs encrypted results. The circuit could be a general-purpose CPU, and the encrypted data the code which is to be executed (reading this again, I think this is what @ByteCoin suggests).

Since this method requires doing some pretty heavy stuff for every gate in the circuit (including every gate which is used for RAM in our custom CPU) and for every clock cycle as well, the cost would be tremendous (polynomial, yes, but with a hell of an exponent).

Now this would work over encrypted data, and produce encrypted results. If you want an encrypted function which runs over public input data and produces a public output, then the party who holds the decrypting key must be involved at some point. Without such a party, I don't think it is known whether it is doable.

Thomas Pornin
  • 88,324
  • 16
  • 246
  • 315
3

I haven't seen homomorphic schemes touted as enabling encrypted functions on public data. Please provide a reference. It would seem to contradict papers such as "On the (Im)possibility of Obfuscating Programs"

However, it would seem possible to imagine a program of sufficient generality that divides its input data into two sets. The first set corresponds to the input of the unencrypted function and the second set influences the programs operations on the input data. So in short the program is simulating some sort of processor and the second set of data is the program running on the processor. If the inputs are commitments to the real input data and program then the operation of the program should be obscure until the result is calculated whereupon the resulting commitments need to be opened. This would seem to approach the functionality you require.

ByteCoin
  • 747
  • 1
  • 6
  • 7