WAN optimization for encrypted data traffic using fully homomorphic encryption

The invention claimed is: 1. A method for WAN (wide area network) optimization for a WAN that connects a first site that sends a data stream to a second site, the method comprising: at the second site: generating a plurality of keys for performing operations on the data stream, the plurality of keys comprising at least a secret decryption first key, a public evaluation second key, and a public encryption third key; from the first site, receiving an optimized, encrypted file in the data stream, the optimized encrypted file comprising a set of encrypted segments and a set of segment identifiers; without decrypting the optimized, encrypted file, using the secret decryption first key (i) to decompress the optimized, encrypted file and (ii) to identify the set of encrypted segments and the set of segment identifiers; for each identified segment identifier in the set of segment identifiers, performing a lookup in a segment cache at the second site that stores a plurality of segments received at the second site to identify and retrieve a segment corresponding to the segment identifier; and using the retrieved segment and the identified set of encrypted segments to reconstruct the encrypted file. 2. The method of claim 1 , wherein the method is performed by a destination device of the data stream at the second site. 3. The method of claim 1 , wherein the first site comprises a first public cloud, and receiving the optimized, encrypted file from the first site comprises receiving the optimized, encrypted file from a first gateway router deployed to the first public cloud that optimizes and forwards a data stream originating from a source device at a third site connected by the WAN. 4. The method of claim 3 , wherein the second site comprises a second public cloud, wherein the method is performed by a second gateway router deployed to the second public cloud for receiving, processing, and forwarding the data stream to a destination device of the data stream at a fourth site connected by the WAN. 5. The method of claim 4 further comprising forwarding the reconstructed encrypted file to the destination device at the fourth site. 6. The method of claim 1 , wherein generating the plurality of keys further comprises forwarding (i) a public evaluation second key to a particular gateway router for performing WAN optimization operations on encrypted data streams sent between a particular source and a particular destination including a received particular data stream without decrypting the encrypted data streams and (ii) a public encryption third key to the particular source for encrypting the particular data stream. 7. The method of claim 6 , wherein the particular gateway router uses the public evaluation second key (i) to divide the encrypted data stream into a second set of encrypted segments, (ii) to perform a TRE (traffic redundancy elimination) operation on the set of encrypted segments in order to eliminate redundant segments from the set of encrypted segments, and (iii) to perform a compression operation on the set of encrypted segments in order to produce the optimized, encrypted data stream. 8. The method of claim 1 further comprising forwarding a reconstructed encrypted data stream to a destination of an encrypted data stream. 9. The method of claim 1 , wherein using the identified set of encrypted segments to reconstruct an encrypted data stream in full further comprises: identifying one or more segment identifiers in the set of encrypted segments; performing a lookup in a segment cache that stores full segments known to a destination of the encrypted data stream; and retrieving from the segment cache one or more segments corresponding to the identified one or more segment identifiers. 10. The method of claim 9 further comprising replacing the identified one or more segment identifiers in the set of encrypted segments with the one or more retrieved segments to reconstruct the encrypted data stream in full. 11. The method of claim 9 further comprising updating state for each retrieved segment in the segment cache, wherein updating the state comprises updating a last-seen timestamp for each retrieved segment in the segment cache. 12. The method of claim 9 further comprising: identifying each full segment in the set of encrypted segments; and adding each identified full segment to the segment cache. 13. The method of claim 12 further comprising: receiving a second optimized encrypted data stream comprising at least one segment identifier corresponding to at least one identified full segment added to the segment cache; and replacing the at least one segment identifier in the second optimized encrypted data stream with the at least one identified full segment from the segment cache. 14. A non-transitory machine readable medium storing a program for execution by a set of processing units, the program for processing a WAN (wide area network) optimized data stream sent from a first site to a second site, the first and second sites connected by a WAN, the program comprising sets of instructions for: generating a plurality of keys for performing operations on the data stream, the plurality of keys comprising at least a secret decryption first key, a public evaluation second key, and a public encryption third key; from the first site, receiving an optimized, encrypted file in the data stream, the optimized encrypted file comprising a set of encrypted segments and a set of segment identifiers; without decrypting the optimized, encrypted file, using the secret decryption first key (i) to decompress the optimized, encrypted file and (ii) to identify the set of encrypted segments and the set of segment identifiers; for each identified segment identifier in the set of segment identifiers, performing a lookup in a segment cache at the second site that stores a plurality of segments received at the second site to identify and retrieve a segment corresponding to the segment identifier; and using the retrieved segment and the identified set of encrypted segments to reconstruct the encrypted file. 15. The non-transitory machine readable medium of claim 14 , wherein the set of instructions for generating the plurality of keys further comprises a set of instructions for forwarding (i) a public evaluation second key to a particular gateway router for performing WAN optimization operations on encrypted data streams sent between a particular source and a particular destination including a received particular data stream without decrypting the encrypted data streams and (ii) a public encryption third key to the particular source for encrypting the particular data stream. 16. The non-transitory machine readable medium of claim 15 , wherein the particular gateway router uses the public evaluation second key (i) to divide an encrypted data stream into a set of encrypted segments, (ii) to perform a TRE (traffic redundancy elimination) operation on the set of encrypted segments in order to eliminate redundant segments from the set of encrypted segments, and (iii) to perform a compression operation on the set of encrypted segments in order to produce the optimized, encrypted file. 17. The non-transitory machine readable medium of claim 15 , the program further comprising a second set of instructions for forwarding the reconstructed encrypted data stream to a destination device of the encrypted data stream located at the second site. 18. The non-transitory machine readable medium of claim 15 , wherein the set of instructions for using the identified set of encrypted segments to