4

I have often heard that because a fully homomorphic encryption scheme allows for both additions and multiplications on encrypted data, most other operations can be simulated. I don't understand how exponentiation can be done, i.e., how to build $E(x^y)=E(x)^{E(y)}$ ?

If it can't be done, is there a FHE that support $E(x) . E(y) = E(x^y)$ where the operation on encrypted data is not necessarily exponentiation?

nullgraph
  • 141
  • 3
  • 3
    If you know the maximum number of bits in $y$, you can get the binary expansion of $y$ and then do the traditional square-and-multiply. – mikeazo Feb 27 '15 at 02:58
  • 1
    http://crypto.stackexchange.com/questions/15436/how-could-fully-homomorphic-encryption-support-power-operations? – Thomas Feb 27 '15 at 05:12
  • Calculating $y-1$ times the product $E(x)E(x)$ gives us $E(x)^{E(y)}$. And it decrypts to $x^y$, since $E(x) \cdot E(x) \cdot .. \cdot E(x) = E(x \cdot x \cdot .. \cdot x) = E(x^y)$. – Hilder Vitor Lima Pereira Feb 27 '15 at 16:14
  • @mikeazo Do you mean the max number of bits of $y$ after encryption? That might be very different from before encryption. – nullgraph Feb 27 '15 at 18:20
  • @VitorLima I'm confused: we can do multiplication built on addition using the same technique. If so then PHE with addition only can be turned into FHE? – nullgraph Feb 27 '15 at 18:27
  • @nullgraph, no, from before encryption. – mikeazo Feb 27 '15 at 19:18
  • @nullgraph it's an interesting question... I think the main difference is that exponentiation is defined as a sequence of multiplication. But the products are not necessarily defined in terms of sums. For example, if the scheme works over polynomials, you may have these two ciphertexts: $c_1 = x + 1$ and $c_2 = x^2$. Then, $c_1 \cdot c_2 = x^3 + x^2$. But we can't get $x^3 + x^2$ summing $c_1$ to itself or $c_2$ to itself... – Hilder Vitor Lima Pereira Feb 27 '15 at 20:28
  • 3
    @VitorLima, the problem with "y-1 times the product E(x)E(x)" is that you don't know when you reach zero, i.e., you don't know when to stop. This question is very related to this discussion. – mikeazo Feb 27 '15 at 20:36
  • @nullgraph, definitely don't delete it. It helps to have multiple ways of explaining something for people searching. If they hit yours, they will then see the link to the other. – mikeazo Feb 27 '15 at 20:40
  • @mikeazo I just realized that we have to know the $y$ to do what I said. I'll see the link you posted here. Thank you. – Hilder Vitor Lima Pereira Feb 27 '15 at 20:46
  • @mikeazo After reading your other answer, I see what you mean about knowing the number of bits of unencrypted $y$. In reality it might not be possible but then I suppose you can pad it to a certain length, but then computation time might increase quite a lot. – nullgraph Feb 27 '15 at 21:31
  • 1
    @VitorLima I don't think you need to know $y$ to do what you suggested, if encryption is FHE, you can do $E(y-1)$. I think the point mikeazo was making is that at some point, you will get E(0), however, due to semantic security, you wouldn't be able to tell E(0) from E(something else). – nullgraph Feb 27 '15 at 21:35
  • Other thing, I saw the link of the other question and there, it just discusses the case o exponentiation when the base is know (in the question, it's 2) and the expoent is ciphered. Why it's equivalent to the general case when both the base and the exponent are ciphered ? – Hilder Vitor Lima Pereira Feb 28 '15 at 12:29
  • @VitorLima If you look at the algorithm, it starts with B=E(2), just replace that with B=E(x). – nullgraph Feb 28 '15 at 21:44

0 Answers0