1

Comparison-Based Computations Over FullyHomomorphic Encrypted Data

Mihai Togan1,∗ and Cezar Plesca11certSIGN - Research and Development, Bucharest, Romania∗Corresponding author (E-mail : mihai.togan@certsign.ro)

Abstract—The possibility of outsourcing computation to thecloud offers businesses and individuals substantial cost-savings,flexibility, and availability of compute resources, but potentiallysacrifices privacy. Homomorphic encryption can help addressthis problem by allowing the user to upload encrypted data tothe cloud, on which the cloud can then operate without havingthe secret key. The cloud can return encrypted outputs of com-putations to the user without decrypting the data, thus providingdata hosting and services without compromising privacy.

This paper contribution is two-fold. First, it presents asurvey into the subject of fully homomorphic encryption andhighlights scenarios where homomorphic encryption could be anappropriate solution. Secondly, we focus on the modeling ofnumber comparison in terms of homomorphic encryption. Thisapproach is then used for applications such as the maximumvalue from a vector or the sorting problem.

Key words - homomorphic encryption, learning with errors,encrypted comparison, HElib.

I. INTRODUCTION

The notion of homomorphic encryption scheme, originallycalled privacy homomorphism, was introduced in [1]. Ideally,one should be able to transmit encrypted information to theserver, process the encrypted data on the server and retrieveprocessed data from the server. This ideal situation, for longrenown as the "Holly Grail of Cryptography", has finally gota brake through in 2009 by Craig Gentry in his Ph.D. thesis[5]. The idea is that any operation can be reduced to the basicaddition and multiplication operations on bit level.

Since cloud storage and cloud computing platforms weredeveloped, users have the ability to outsource storage andcomputations on their data. Further it allows businessesto offload the task of maintaining a data-center. However,consumers and businesses are concerned about a possibleloss of privacy which leads to an slow adoption of cloudservices. The privacy concerns can be mitigated if usersencrypt the data sent to the cloud. If the used encryptionscheme is homomorphic, the cloud could perform meaningfulcomputations on the encrypted data.

The main issue in this context is the question if fullyhomomorphic encryption schemes are efficient enough to bepractical for cloud computing. Craig Gentry estimated in anarticle [9] that performing a Google search with encryptedkeywords would multiply the necessary computing time byaround 1 trillion. A more scientific analysis of Gentry’sfully homomorphic encryption system was done in [14], but

Gentry’s estimation should make clear that the performancepenalty of this scheme is way to big to use it in practice.

In [11], Lauter, Baehrig and Vaikuntanathan provided fewconcrete applications of homomorphic encryption and arguedthat there are many functions which could be useful forprivacy preserving cloud services, which can be computedby many additions and a small number of multiplications oncipher-texts. For example, averages require no multiplications,standard deviation requires one multiplication, and predictiveanalysis such as logistical regression requires few multiplica-tions.

Using a recently proposed leveled homomorphic encryptionscheme, Graepel et al. show in [18] that it is possible todelegate the execution of a machine learning algorithm toa computing service while retaining confidentiality of thetraining and test data. They defined a new class of ma-chine learning algorithms in which the algorithm’s predictions,viewed as functions of the input data, can be expressed aspolynomials of bounded degree. A confidential algorithms isthen proposed for binary classification based on polynomialapproximations to least-squares solutions obtained by a smallnumber of gradient descent steps.

Straightforward implementation of many machine learningalgorithms requires operations which are not necessarily rep-resented by a low-degree polynomial such as comparison anddivision, making difficult to adapt certain algorithms to operateon encrypted data. For instance, a comparison x > y isnot polynomial, unless the inputs are encrypted bit-wise anda deep circuit for comparison is implemented. Solving thisproblem may lead to practical implementations for the sortingproblem or some other problem like K-Means clusteringalgorithm, which requires ordering neighbors according todistance.

The rest of this article is organized as follows: first, wepresent the main definitions and notations used throughoutthe paper. We show some of the schemes developed afterGentry’s breakthrough, with focus on the method that wasreally implemented in the form of a software library calledHElib. In the second part of the paper, we model the numberscomparison in terms of homomorphic encryption, and test thisapproach using HElib. Finally, we discuss a comparison-basedapplication, namely the maximum value from a vector. Con-clusions about the current state of homomorphic encryptionand possible directions to improve the existing concepts endsour paper.

978-1-4799-2385-4/14/$31.00 ©2014 IEEE

II. ABSTRACT FULLY HOMOMORPHIC ENCRYPTIONSCHEMES

An encryption scheme E has three algorithms: KeyGenE ,EncryptE , and DecryptE , all of which must run in poly-nomial time in the security parameter λ, that specifies the bit-length of the keys. In a symmetric, or secret-key, encryptionscheme, KeyGenE uses λ to generate a single key that isused in both EncryptE and DecryptE , first to "transform"a message into a ciphertext, and then to map the ciphertextback to the message. In an asymmetric, or public-key,encryption scheme, KeyGenE uses λ to generate two keys:a public encryption key pk, which may be made available toeveryone, and a secret decryption key sk. A homomorphicencryption scheme has a fourth algorithm EvaluateE , thattakes as input the public key pk, a circuit C, and a tupleof ciphertexts Ψ = (ψ1, ..., ψt) and outputs a ciphertext ψ.The fourth algorithm must also run in polynomial time in thesecurity parameter λ and the size of C. We say that E iscorrect for a circuit C, if for any key-pair (sk,pk) output byKeyGenE , and any tuple of ciphertexts Ψ = (ψ1, ..., ψt), withψi ← EncryptE(pk, πi), we have that

DecryptE(sk, ψ) = C(π1, ..., πt), (1)

where ψ ← EvaluateE(pk,C,Ψ). We say that E ishomomorphic for circuits in CE , if E is correct for any C ∈ CE .The encryption scheme E is fully homomorphic if it is homo-morphic for all circuits. We shall assume that the decryptionalgorithm of an encryption scheme can be expressed as acircuit of polynomial size in the security parameter λ. Afamily of schemes {Ed : d ∈ N} is leveled fully homomorphicif they all use the same decryption circuit, Ed is homomorphicfor all circuits of depth at most d (using some set of gatesΓ), and the computational complexity of Ed’s algorithms ispolynomial in λ, d, and (in the case of EvaluateEd ) thesize of C. For a gate g ∈ Γ, the g-augmented decryptioncircuit consists of a g-gate connecting multiple copies of thedecryption circuit. The set of g-augmented decryption circuits,g ∈ Γ is denoted by DE(Γ). If CE is a set of circuits withrespect to which E is homomorphic, then we say that E isbootstrappable with respect to Γ if DE(Γ) ⊆ CE . The mainresult of [5] is the following:Theorem: One can construct a family {Ed}d∈N of leveledfully homomorphic encryption schemes from any bootstrap-pable encryption scheme E .We don’t give here the construction, but we mention that in thenext chapter we will briefly review the main ideas involved inthe cases we are interested in: E is bootstrappable with plain-text space P = {0, 1}, and circuits are boolean. Let us finishthis section by saying that the "limit" of this family of leveledfully homomorphic encryption schemes may be viewed as afully homomorphic encryption scheme.

A. Fully Homomorphic Encryption over the Integers

We begin the story about fully homomorphic encryptionwith the simplest known scheme which involves only the ringof integers. Even though this scheme is chronologically olderthan the first FHE scheme described in Gentry’s thesis [5],

we believe that anyone who aspires to understand Gentry’sapproach towards FHE, should start with this one. Following[9] we consider the following encryption scheme E :

KeyGenE(λ): The key is a random P -bit odd integer p.

EncryptE(p,m): To encrypt a bit m ∈ {0, 1}, set m′ to bea random N -bit number such that m′ ≡ m (mod 2). Outputthe ciphertext c← m′+pq, where q is a random Q-bit number.

DecryptE(p, c): Output [c]p mod 2, where [c]p is the uniqueinteger in (−p/2, p/2), that is congruent to c modulo p.

EvaluateE(pk, f, c1, ..., ct): Express the boolean functionf as a circuit C with XOR and AND gates. Let C† be thesame circuit as C, but with XOR and AND gates replaced byaddition and multiplication gates over the integers. Let f† bethe multivariate polynomial that corresponds to C†. Outputc← f†(c1, ..., ct).

Notice that decryption works if the noised message m′ hassize less than p/2, in other words if N ≤ P − 1 then thedecryption algorithm outputs m for the input c (where c is avalid encryption of m). The scheme becomes homomorphic ifwe simply add or multiply the cipher-texts as integers, howeverwe run into trouble because these operations increase the noiseassociated to the resulting cipher-texts. Unfortunately, in theend the noise becomes so large that the decryption algorithmno longer returns the correct result.

One can show that the scheme E is already powerful becauseit can handle an elementary symmetric polynomial of degree din t variables, as long as 2Nd ·

(td

)< p

2 , which is true (roughly)when d < η

N+log2 t. That E can evaluate polynomials of

such high degree makes it "homomorphic enough" for manyapplications, e.g. it works well when f† is a basic keywordsearch. Recall that an encryption scheme E is bootstrappableif it is able to handle its own decryption function.

Starting with a bootstrappable scheme E , Gentry’s recipeproduces a fully homomorphic encryption scheme E†. Wegive a brief description of this construction. Suppose that thecipher-text c1 encrypts the bit m under the public key pk1.Suppose also that we have encrypted the secret key sk1: letsk1 be a vector of cipher-texts that encrypt the bits of sk1 underanother public key pk2 via EncryptE(pk2, sk1j). Considerthe following algorithm.

RecryptE(pk2,DE , sk1, c1).

Generate c1 via EncryptE(pk2, c1j) over the bits of c1Output c← EvaluateE(pk2,DE , sk1, c1)

For any encryption scheme the decryption circuit takes asinputs the bits of a secret key and the bits of a cipher-text. In RecryptE , the decryption circuit has input wiresfor sk1 and c1, each encrypted under pk2. Since E isused to evaluate the decryption circuit homomorphically,the output c of RecryptE is an encryption under pk2

of DecryptE(sk1, c1) = m. Therefore, the algorithmRecryptE outputs a new encryption of m, but under pk2.

Notice that evaluating DE removes the noise associatedto c1 under pk1 (because decryption removes noise), but

EvaluateE simultaneously introduces new noise while eval-uating the ciphertexts under pk2. As long as the new noiseadded is less than the old noise removed, we have madeprogress. Since our goal is to perform actual operations onunderlying messages, not merely to obtain a new encryptionof the same message, we shall use RecryptE after eachgate to obtain "fresh noise". Suppose that E can handle DEaugmented by some gate, say Add, call this augmented circuitDAdd (recall that DE augmented by Add consists of twocopies of DE connected by an Add gate). If c1 and c2 aretwo ciphertexts that encrypt m1 and m2, respectively, underpk1 , and we compute c1 and c2 as before, then we have that

c← EvaluateE(pk2,DAdd, sk1, c1, c2) (2)

is an encryption under pk2 of m1 ⊕m2.The fully homomorphic encryption scheme E† is obtained byrecursing this process. The secret key in E† consists of asequence (sk1, ..., skl), whereas the public key consists of asequence (pk1, ...,pkl+1) and a a chain of encrypted secretkeys (sk1, ..., skl) (where ski is an encryption of ski underpki+1). To evaluate a function f in E†, express it as acircuit, arrange its gates into levels, and step through thelevels sequentially. For a gate at level i + 1, we take asinput the encrypted secret key ski and a couple of ciphertextsassociated to output wires at level i that are under pki, andwe homomorphically evaluate DGate to get a ciphertext underpki+1 associated to a wire at level i + 1. Finally, we outputthe ciphertext associated to the output wire of f .

Unfortunately, the scheme E is not bootstrappable, so thatwe need to transform it into a new scheme E∗ by replacingthe E’s decryption function with an circuit that adds a fairlysmall set of numbers. During the transformation we shall usetwo integers 0 < α < β.

KeyGenE∗(λ): Run KeyGenE(λ) to obtain keys (pk, sk),where sk is an odd integer p. Generate a set −→y = 〈y1, ..., yβ〉of rational numbers in [0, 2) such that there is a sparse subsetS ⊂ {1, ..., β} of size α with

∑i∈S yi ≈ 1/p mod 2. Set

sk∗ to be the sparse subset S encoded as a vector s ∈ {0, 1}βwith Hamming weight α. Set pk∗ ← (pk,−→y ).

EncryptE∗(pk∗,m): Run EncryptE(pk,m) to obtain ci-phertext c. For i ∈ {1, ..., β}, set zi ← c · yi mod 2, keepingonly about logα bits of precision after the binary point foreach zi. The ciphertext c∗ consists of c and −→z = 〈z1, ..., zβ〉.

The moral is that the hint −→y is used to post-process a cipher-text c output by EncryptE∗ , with the objective of leavingless work remaining for DecryptE∗ to do.

DecryptE∗(sk∗, c∗): Output (c− b∑i sizie) mod 2

where b·e rounds to the nearest integer. Decryption works,since (up to small precision errors)∑

i

sizi =∑i

sicyi = c ·∑i∈S

yi = c/p mod 2 (3)

The important thing about EncryptE∗ is that is defined bya summation containing only α nonzero terms. The bits ofthis summation can be computed by a polynomial of degree

α ·polylog(α) which E∗ can handle if we set α small enough.The scheme E∗ becomes bootstrappable, for example, if weset the parameters N = λ, P = λ2, Q = λ5, and α =λ/polylog(λ).

Since the public key and the secret key are both representedby the odd integer p, the above scheme is a symmetrichomomorphic encryption scheme. One can turn it into apublic-key scheme, but the procedure adds some complexity.As before, the secret key is p, however the public key consistsof a list of integers that are essentially "encryptions of zero".To encrypt a message one chooses at random a subset from thislist, computes the sum of its members and then add the resultto m. For all the details of this procedure we refer the reader to[9]. The security is based on the hardness of the ApproximateCommon Divisor Problem (this is the problem of finding d,given a collection of integers of the form {dqi + ri}ti=0 withri "small", see [12]), and Sparse Subset-Sum Problem (SSSP)(it should be difficult to distinguish between random subsetsof Z and those that have sparse subsets that sum to 0, see [5]).

III. FULLY HOMOMORPHIC ENCRYPTION SCHEMES

A. Fully Homomorphic Encryption using Ideal Lattices

We start by giving a general construction of encryptionschemes in terms of rings and ideals (see [5],[6]). We fixa ring R, that is set appropriately with respect to the securityparameter λ, and two relatively prime ideals I and J , i.e.I + J = R. We fix a basis BI of I , and an algorithmIGen(R,BI) that outputs public and secret bases Bpk

J andBskJ of J . Assume that if r ∈ R and BJ is a basis for

the ideal J , then the value r mod BJ is unique and canbe computed efficiently with respect to the basis. We usethe notation R mod BJ to denote the set of distinguishedrepresentatives of the cosets r + J , r ∈ R, with respectto the particular basis BJ of J . We also use an algorithmSamp(x,BI , R,BJ) that samples from the coset x + I . Wehave the following general public-key encryption scheme E :

KeyGen(R,BI): Takes as input a ring R, an ideal I , and abasis of it BI . Set Bpk

J , BskJ ← IGen(R,BI). The plaintext

space P is a subset of R mod BI. The public key pk includesR, BI , Bpk

J , and Samp. The secret key sk also includes BskJ .

Encrypt(pk, π). Takes as input the public key pk and plain-text π ∈ P . It sets ψ′ ← Samp(π,BI , R,B

pkJ ) and outputs

ψ ← ψ′ mod BpkJ .

Decrypt(sk, ψ). Takes as input the secret key sk and acipher-text ψ. It outputs π ← (ψ mod Bsk

J ) BI.

Evaluate(pk,C,Ψ). Takes as input the public key pk, acircuit C in some permitted set CE of circuits composed ofAddBI

and MultBIgates and a set of input cipher-texts Ψ.

It invokes Add and Mult, given below, in the proper sequenceto compute the output cipher-text.

Add(pk, ψ1, ψ2). Outputs ψ1 + ψ2 mod BpkJ .

Mult(pk, ψ1, ψ2). Outputs ψ1 × ψ2 mod BpkJ .

Let us discuss in what follows the example of the above ab-stract construction considered in [14]. Let R = Z[x]/(xn+1),

where n is a power of 2. The ideal I is chosen to beI = (2). The plain-text space is {0, 1}, which is embeddedin R/I = {0, 1}n by encoding 0 as 0n and 1 as 0n−11. Theideal J is chosen to be principal generated by the polynomialv(x), and such that J = (d, x− r), where the odd integer d isthe resultant of the polynomials v(x) and xn + 1, and r ∈ Zis a root of xn + 1 modulo d.

The public key is determined by the two integers d, r,whereas the secret key consists of the pair (v, w), where wis the scaled inverse of v, i.e. v × w = d modulo xn + 1.To encrypt the bit m, the scheme chooses a polynomialu(x) with small coefficients, and outputs the ciphertext c ←[m+2u(r)]d. To decrypt, let wi be one of the odd coefficientsof w, then the bit m is recovered as m = [cwi]d (mod 2).Unfortunately, the scheme is not bootstrappable, so that oneneeds to "squash" the decryption circuit using a proceduresimilar to the one from the previous section. The securityof the scheme is based on the "bounded distance decoding"problem (i.e. finding the closest lattice point to a given pointin the ambient space, see [4]), and on SSSP, as before.

B. Fully Homomorphic Encryption from LWE

The simplest and yet the most powerful fully homomorphicencryption scheme known to date was constructed in [13].The whole construction is based on the so called "learningwith errors" (LWE) problem, first presented by Regev in [2],see also [10]. The LWE assumption states that if s ∈ Znq isan n dimensional (secret) vector, any polynomial number of"noisy" random linear combinations of the coefficients of sare computationally indistinguishable from uniformly randomelements in Zq . More precisely:

{ai, 〈ai, s〉+ ei}poly(n)i=1

c≈ {ai, ui}poly(n)i=1 (4)

where ai ∈ Znq and ui ∈ Zq are uniformly random, and the"noise" ei is sampled from a noise distribution that outputsnumbers much smaller than q (for example is a discreteGaussian distribution over Zq with small standard deviation).The LWE problem is at least as hard as finding short vectorsin any lattice (see [2] and [7]).

To encrypt a bit m choose a random a ∈ Znq , a "noise"e ∈ Zq , and compute b ← m + 2e + 〈a, s〉 (here s is thepublic/secret key). The cipher-text is c ← (a, b) ∈ Zn+1

q . Todecrypt, compute b − 〈a, s〉; the result is 2e + m (mod q),and since e is chosen to be much smaller than q, we get that2e+m (mod q) = 2e+m. Finally, compute 2e+m (mod 2).

The scheme is homomorphic with respect to addition, untiltoo much noise accumulates. To make it homomorphic withrespect to multiplication one needs to use the re-linearizationtechnique introduced in [13] and refined in [15]. The methodallows to do one multiplication by encrypting the product un-der a new secret key. Posting a "chain" of L secret keys allowsone to perform up to L levels of multiplications. This newconstruction produces a leveled fully homomorphic encryptionscheme without using Gentry’s bootstrapping procedure.

IV. IMPLEMENTING A HOMOMORPHIC COMPUTATION

This section will show a way to implement several compu-tations that requires integer comparison, such as the maximumvalue of a vector or the sorting vector problem. This take us toa fundamental exercise, namely comparing two homomorphicencrypted integers, which will be explain further.

A. Cypher-Integer ComparisonWe want to compare two integers X and Y binary repre-

sented as X = xn−1xn−2 · · ·x0 and Y = yn−1yn−2 · · · y0.Comparing X and Y translates to bit comparison, from themsb to the lsb; therefore, a toy example is to consider two bitcomparison, x and y. The binary expressions (computation isdone in Z2) corresponding to three of their possible relationsare the following:

x > y ⇔ xy + x = 1 (5)x = y ⇔ x+ y + 1 = 1 (6)x ≤ y ⇔ xy + x+ 1 = 1 (7)

This means that if we have the FH encryptions of x and y,namely Cx and Cy , we can evaluate C = Cx ·Cy +Cx (using“(5)”). Upon decryption of C, one can know if x > y (i.e.Dec(C) = 1) or x ≤ y (i.e. Dec(C) = 0).

Let’s consider the case of two integers X = x1x0 and Y =y1y0 represented on n = 2 bits. The binary expression thatcould be used to evaluate the relation X > Y is the following:

x1x0 > y1y0 ⇔ (x1 > y1) ∨ (x1 = y1) ∧ (x0 > y0) = >⇔ (x1y1 + x1) + (x1 + y1 + 1)(x0y0 + x0) = 1⇔

x1y1+x1+x1x0y0+x1x0+y1x0y0+y1x0+x0y0+x0 = 1(8)

The last line of “(8)” gives a polynomial F (x1, x0, y1, y0)(or shortly F (X,Y )) that needs to be evaluated on the cypher-bits of X and Y to obtain the encrypted version of the relationX > Y . Similarly, one can obtain the corresponding binaryevaluation polynomials for relations X = Y and X ≤ Y .Moreover, a simple reasoning by induction could prove that,for a n-bits representation, the evaluation functions for X > Yand X ≤ Y lead to n + 1 degree polynomials while X = Yconduct to a n degree polynomial. Nevertheless the numberof multiplications involved in such an evaluation, could bereduced to dlog2(n)e using appropriate factor grouping.

The previous (naive) approach of finding the evaluationfunction corresponding to an n-bits integer comparison circuitbecomes more complex and quite difficult to compute as nincreases. Therefore, a more elegant and simpler solutioncould use a divide-and-conquer approach as presented in[3]. Namely, for two n-bits integers X and Y and takingl = dn/2e, we have the following decomposition into:

msb(X)︷ ︸︸ ︷xn−1 · · ·xl

lsb(X)︷ ︸︸ ︷xl−1 · · ·x0 >

msb(Y )︷ ︸︸ ︷yn−1 · · · yl

lsb(Y )︷ ︸︸ ︷yl−1 · · · y0 ⇔

(msb(X) > msb(Y ))∨(msb(X) = msb(Y )) ∧ (lsb(X) > lsb(Y )) (9)

This property suggests a method that would first split the bitstrings X and Y in about equally long parts, compare theseparts recursively, and then combine these to produce the finaloutput. If the recursive approach from “(9)” is possible atthe boolean logic level, then it is naturally applicable at theZ2 arithmetic level. To evaluate F (X,Y ) for X > Y usingZ2 arithmetic operations (as seen in “(8)” for n = 2), weintroduce the following auxiliary functions:

1) ti,j is the boolean value corresponding to the truth valueof the expression xi+j−1 · · ·xi > yi+j−1 · · · yi

2) zi,j is the boolean value corresponding to the truth valueof the expression xi+j−1 · · ·xi = yi+j−1 · · · yi

3) si,j is the boolean value corresponding to the truth valueof the expression xi+j−1 · · ·xi ≥ yi+j−1 · · · yi

Expressed explicitly in terms of the bits of X and Y , a fullsolution for X > Y and X ≥ Y is obtained by evaluatingt0,n and s0,n respectively, using the following recurrences(choosing each time l = dj/2e):

ti,j =

{xiyi + xi, j = 1ti+l,j−l + zi+l,j−lti,l, j > 1

(10)

zi,j =

{xi + yi + 1, j = 1zi+l,j−lzi,l, j > 1

(11)

si,j =

{xiyi + yi + 1, j = 1ti+l,j−l + zi+l,j−lsi,l, j > 1

(12)

Correctness of the computation follows from the samedecomposition principle illustrated in “(9)”. The depth ofthe equivalent boolean circuit is exactly dlog2(n)e, henceO(log(n) with hidden constant 1 for the base-2 logarithm.Given the divide-and-conquer approach of “(11)”, the numberof multiplications for z evaluation for n = 2k is straightfor-ward given by the formula:

1 + 21 + 22 + · · ·+ 2k−1 = n− 1 (13)

Let C(n) be the number of multiplications for t evaluation.Following the recurrence formula from “(10)”, and restrictingthe analysis to n a power of 2, C(n) can be expressed as:

C(n) = C(n

2

)+(n

2− 1)

+C(n

2

)+1 = 2C

(n2

)+n

2(14)

This recurrence is just a special case of the well known mastertheorem, a technique used in algorithm complexity analysis,which allows to solve general recurrences of the form T (n) =aT (n/b) + f(n). Therefore, the number of multiplications toevaluate the relation order X > Y is given by:

C(n) = n

(1 +

log2(n)

2

)(15)

B. Maximum Problem

Knowing to compare two encrypted integers, let’s constructa protocol to find the maximum value from an encryptedvector of integers. Formally, considering a vector of nelements {v1, v2 · · · vn} and its component-wise encryptedversion {c1, c2 · · · cn}. Let’s call F an evaluation functionthat allows us to compare two numbers, in the sense of orderrelation x ≥ y; hence, F (x, y) = Enc(1) ⇔ x ≥ y. A valuevi is the maximum, if the following relations hold:

vi ≥ v1 ⇔ F (vi, v1) = Enc(1)

vi ≥ v2 ⇔ F (vi, v2) = Enc(1)

· · ·vi ≥ vn ⇔ F (vi, vn) = Enc(1)

Therefore, computing the product P (i) of all F (vi, vj) fac-tors (j 6= i), we should obtain an encryption of 1. Conversely,if vi is not the maximum value of the vector, there is at leastone value j leading to F (vi, vj) = Enc(0), hence the overallproduct becoming an encryption of 0.

Having the encrypted numbers in the cloud, the protocolto find the maximum value requires the computation of P (i)for all encrypted numbers and the sending of the encryptedvalues to the client. The client decrypts the stream of P (i)until it finds a value of 1. It then asks to the cloud to send thecorresponding encrypted information Enc(vi) from which theclient finds the maximum value of the vector. The number ofinformations sent from cloud to the client is the same as thecomplexity of the maximum problem solved for unencryptedvalues, i.e. O(n), with n/2 informations sent in average.

P (i) =∏j 6=i

F (vi, vj);P (i) = Enc(1)⇔ vi ≥ vj∀j 6= i (16)

C. Experimenting with HElib

The most efficient fully homomorphic encryption schemehas been implemented by the IBM research team conductedby S. Halevi and V. Shoup using ideas that can be foundin [15], [16], and [17]. The implementation is calledHomomorphic-Encryption Library (HELib) and can be foundat: https://github.com/shaih/HElib. This software library im-plements the RLWE homomorphic encryption scheme, alongwith many optimizations to make homomorphic evaluationruns faster. HElib is written in C++ and uses the NTLmathematical library.

Our experiments with HElib were conducted on a machineequipped with a Intel(R) Xeon(R) E5-1620 at 3.60GHz CPUand 12GB memory. We implemented and tested the evaluationfunctions for the three order relations presented in “(10)”,“(11)”, “(12)”. For each of these relations, we randomlygenerate a set of integers pairs, FHE encrypt them and thenwe measure execution time of the comparison evaluationfunctions. In our tests, integers length binary representationvaries from 1 to 16 bits. For the HElib context, mainly definedby security parameter (λ) and circuit depth (D), we choose thefollowing values: λ ∈ {80, 128} and D = 8. The chosen valuefor D allows the comparison of integers whose length can beup to 28 = 256 bits.

Table “I” presents the absolute average execution time (inseconds) for comparing 8 and 16 bits integers, respectively.One can notice the timing costs are quite expensive, even fora simple small integers comparison. In this manner, the secretkey generated by HElib for our scenarios has a size of about225MB for λ = 128 and 75MB for λ = 80.

Table I: Timing Costs (sec) for HE Comparison Operations

Security λ = 80 λ = 128Relations = > ≥ = > ≥

8 bits 5.045 11.147 11.402 5.764 12.843 13.01816 bits 11.656 29.035 29.269 13.376 33.429 33.613

The time execution of the “>” evaluation function withrespect to the integer bit-length is illustrated in “Fig. 1”illustrates The time values are normalized by a constant factor,namely the time taken by a single cypher-text multiplication.In this figure, one can observe that the experimental curve isvery close to the theoretical one given by “(15)”.

Figure 1: Time Execution of Encrypted Comparison

V. CONCLUSIONS

This paper presents a survey into the most recent fullyhomomorphic encryption techniques and highlights scenarioswhere homomorphic encryption could be an appropriate solu-tion. We focus on the algorithms based on number comparisonand propose a modeling of this relationship order in terms ofhomomorphic encryption. We made a implementation of theproposed model using a recently FHE library, called HElib.We show how this approach can be applied to find the maxi-mum value from an encrypted vector; many other applicationssuch as sorting, searching or even K-Means clustering couldbenefit from this idea. The proposed method use a divide-et-impera aproach which is suitable for a parallel implementationwithin a cloud environment.

All known fully homomorphic encryption schemes arebased on hardness of lattice problems. One can ask thefollowing natural question: can we construct fully homomor-phic from other approaches, say, for example, from number-theoretic assumptions? Can we bring in the issue of thehardness of factoring or discrete logarithms in this problem?

Some of the applications of fully homomorphic encryptiondo not require its full power. Further improvements in thedesign of a fully homomorphic encryption scheme, can takeinto account approaches which use different specialization ofGentry’s blueprint recipe combined with GLWE method. Thering R used in all of the above described approaches is thering of integers of some cyclotomic number field.

In the implementation process, a vital property of theserings is that the associated Galois group is commutative. It is

interesting to acknowledge if such implementations can existwithin a more general framework, where the Galois groups areslightly more general. Notice that even in the commutativecase (by Weber theorem, one is forced to consider onlysubfields of cyclotomic extensions), other cases might leadto improvements on the level of efficiency/ security of theencryption schemes. For example, one would start this lineof investigation with the ring of integers of the maximal realsubfield of the m-th cyclotomic field, i.e. R = Z[ζm + 1

ζm],

with ζm a primitive m-th root of unity.

ACKNOWLEDGEMENTS

This paper contains work done in the research project"Development of technologies for securing data in Cloud" (no.9DPST/2013) partially supported by Romanian UEFISCDI.

REFERENCES

[1] R. Rivest, L. Adleman and M. Dertouzos, “On Data Banks And PrivacyHomomorphisms”, Foundations of Secure Computation, pp. 169–180,1978.

[2] O. Regev, “On Lattices, Learning With Errors, Random Linear CodesAnd Cryptography”, ACM Symposium On Theory of Computing, pp.84–93, 2005.

[3] J. Garay, B. Schoenmakers and J. Villegas, “Practical and Secure Solu-tions For Integer Comparison”, Public Key Cryptography, Lecture Notesin Computer Science, pp. 330–342, 2007.

[4] N. Gama and P. Q. Nguyen, “Predicting Lattice Reduction”, Advancesin Cryptology, Eurocrypt 2010, Lecture Notes in Computer Science, pp.31–51, 2008.

[5] C. Gentry, “A Fully Homomorphic Encryption Scheme”, PhD Thesis,Stanford University, http://crypto.stanford.edu/craig, 2009.

[6] C. Gentry, “Fully Homomorphic Encryption Using Ideal Lattices”, ACMSymposium On Theory of Computing, pp. 169–178, 2009.

[7] C. Peikert, “Public-key Cryptosystems From The Worst-Case ShortestVector Problem: Extended Abstract”, ACM Symposium On Theory ofComputing, pp. 333–342, 2009.

[8] M. van Dijk, C. Gentry, S. Halevi and V. Vaikuntanathan, “FullyHomomorphic Encryption Over The Integers”, Advances in Cryptology,Eurocrypt 2010, Lecture Notes in Computer Science, pp. 24–43, 2010.

[9] C. Gentry, “Computing Arbitrary Functions Of Encrypted Data”, Com-munications Of The ACM, pp. 97–105, 2010.

[10] V. Lyubashevsky, C. Peikert and O. Regev, “On Ideal Lattices AndLearning With Errors Over Rings”, Eurocrypt, Lecture Notes in ComputerScience, pp. 1–23, 2010.

[11] M. Naehrig, K. Lauter and V. Vaikuntanathan, “Can HomomorphicEncryption Be Practical? ”, ACM Workshop on Cloud ComputingSecurity Workshop, pp. 113–124, 2011.

[12] N. Howgrave-Graham, “Approximate Integer Common Divisors”, CaLC,Lecture Notes in Computer Science, pp. 51–66, 2011.

[13] Z. Brakerski and V. Vaikuntanathan, “Efficient Fully HomomorphicEncryption From (Standard) LWE”, IEEE Symposium on Foundationsof Computer Science, pp. 97–106, 2011.

[14] C. Gentry and S. Halevi, “Implementing Gentry’s Fully-HomomorphicEncryption Scheme”, Advances in Cryptology, EuroCrypt 2011, LectureNotes in Computer Science, pp. 129–148, 2011.

[15] Z. Brakerski, C. Gentry and V. Vaikuntanathan, “Fully HomomorphicEncryption without Bootstrapping”, Innovations in Theoretical ComputerScience Conference, pp. 309–325, 2012.

[16] C. Gentry, S. Halevi and N. Smart, “Homomorphic Evaluation Of TheAES Circuit”, Advances in Cryptology, Crypto 2012, Lecture Notes inComputer Science, pp. 850–867, 2012.

[17] N. Smart and F. Vercauteren, “Fully Homomorphic SIMD Operations”,Designs, Codes and Cryptography, 2012.

[18] T. Graepel, K. Lauter and M. Naehrig, “ML Confidential: MachineLearning on Encrypted Data”, Information Security and Cryptology,Lecture Notes in Computer Science, pp. 1–21, 2013.