on the practicality of various classes of homomorphic …njhlai/research/papers/on the... · 2016....

On the Practicality of Various Classes of Homomorphic

Cryptosystems

Nicholas Jian Hao LaiUniversity of [email protected]

October 4, 2013

Abstract: Homomorphic cryptography has seen a burst of research activities in the recent years. In fact,it has started to attract attention from the technology industry, mainly due to its proposed application incloud computing. In this article, we aim to give a brief survey of the state of the art of various classes ofhomomorphic cryptosystems and to illustrate its practicality.

1 Introduction

If one closely examines the modern theory of cryptography, one might find that modern cryptosystems areessentially algebraic constructs that define a system of functions from one algebraic structure, say a finite fieldof characteristic p, to another algebraic structure, perhaps a finite field of characteristic q, that have somesecurity constraints. Naturally, one might ask if a family of functions that has certain additional propertiesis permitted as the functions in the cryptosystems. In particular, we might ask whether a certain class offunctions can be used as the encryption or decryption function in the cryptosystems.

Many subfields of cryptography are classified and categorised by the additional properties the encryptionor decryption function of the cryptosystems share. Homomorphic cryptography is one such subfield of cryptog-raphy. Informally, homomorphic cryptography is the study of a class of cryptosystems, called homomorphiccryptosystems or homomorphic encryption schemes, in which the decryption function is a homomorphismfrom one algebraic structure, the ciphertext space, to another, the plaintext space. Thus, group operationsare preserved in the ciphertext space, allowing one to do computations on the ciphertexts that will reflect awell-behaved response from the plaintexts upon decryption. Even when armed with this informal definition, itis not hard to see why this has generated a lot of interest from the technology industry: what we ultimatelywant to do with encrypted data is to able to perform computations whilst ensuring privacy and security,and the ability of homomorphic cryptosystems to do computations on ciphertext that has the desired resultsreflected on the plaintext level is a rather elegant chisel to complete the toolbox. In other words, homomorphiccryptosystems allows computation to be relegated to an untrusted third party in which the untrusted partylearns nothing of the encrypted data. This is a very desirable property, particularly in cloud computing.

Although there was an explosion of exciting research results from homomorphic cryptography recently,this subfield is by no means a young field. The possibility of a secure cryptosystem that allows meaningfulcomputations on encrypted data has been considered since 1978. Rivest, Adleman, and Dertouzous introducedin their paper [RAD78] a broader concept called general privacy homomorphism, and Henry observed in hispaper [Hen08] that homomorphic cryptography is but a special case of this concept. In fact, one of the bestknown cryptosystem, the (unpadded) RSA system, was known to exhibit multiplicative homomorphism sinceits inception. However, at that moment, this property is considered undesired which leads to the introductionof padding.

Nonetheless, this little bit of history demonstrates one of the difficulties in homomorphic cryptography.When any changes on the ciphertext produces predictable changes in the plaintext, this might indicate a

1

2 Nicholas Jian Hao Lai

considerable security concern. For one, an adversary might be able to intercept the ciphertext and performunwanted changes, thus wrecking havoc or perhaps even giving the adversary a way to break the cryptosystem.Although this problem is inherently due to the homomorphism that we imposed on the encryption, it is notentirely unsolvable, provided we are ready to relax some security constraints on the cryptosystem [Hen08].

Another problem that one faces is the resulting complexities and inefficiencies that occur as a response tothe problem mentioned earlier in homomorphic cryptosystem. A naive, but by no means easy, approach tosolve the security problem will be to find a relatively complex algebraic structure and develop rather expensivetechniques to ensure the integrity of the cryptosystem whilst achieving an encryption scheme with an expressivehomomorphism structure on it. Gentry’s solution in 2009, outlined in his thesis [Gen09], to one of the mostimportant open question in this subfield, the existence of a fully homomorphic cryptosystem, was achievedusing this general idea. Although Gentry’s fully homomorphic cryptosystem in [Gen09] is too complicated forpractical implementation, nevertheless it does provide important insights and showed what was possible, in atime when many cryptographers thought the open problem may not be solved in our lifetime. The question,now that we know such cryptosystems exists, is that if it is possible to construct one such cryptosystem that ispractical.

Majority of the recent literatures on homomorphic cryptography since [Gen09] attempts to address the latterproblem. In this paper, we will pay particular attention to the practicality of various classes of homomorphiccryptosystems and also provide a high-level overview of the current state of the art. This paper will not attemptto be exhaustive in its treatment of homomorphic cryptography, nevertheless we will present the key details ofthis subfield, especially to demonstrate the crucial ideas behind the research program to construct a practicalfully homomorphic cryptosystem.

2 Preliminary

For consistency, we will mainly be adopting notations employed in [Hen08], modulo a couple of modifications,throughout this paper. We begin with a definition:

Definition 2.1. A (probabilistic) cryptosystem is a six-tuple (M, C,K, E ,D,R) such that

1. M is the message space

2. C is the ciphertext space

3. R is the space of randomisers

4. K is the key space, and each element K ∈ K is of the form K = (Kenc,Kdec) known as a key pair.

5. E is the family of encryption functions, i.e.

E = {e :M×R→ C}

6. D is the family of decryption functions, i.e.

D = {d : C →M}

7. ∀K = (Kenc,Kdec) ∈ K, there exists a unique eKenc ∈ E and a unique dKdec∈ D such that ∀m ∈ M,

∀r ∈ R,dKdec

(eKenc(m, r)) = m

An instance of the cryptosystem is generated by an algorithm KeyGen producing a K ∈ K, i.e. K ←KeyGen(1λ), for some predefined λ.

There are two main types of cryptosystems, whose definition are given below:

Definition 2.2. A cryptosystem is a symmetric-key cryptosystem if it is computationally easy to deduceKdec from Kenc. If it is instead computationally infeasible to deduce Kdec from Kenc, it is then a public-keycryptosystem.

On the Practicality of Various Classes of Homomorphic Cryptosystems 3

We will usually be concerned with the public-key cryptosystems in this paper. For completeness, we willremark that in a public-key cryptosystem, pk = Kenc is called the public key and sk = Kdec is called theprivate/secret key, whilst in a symmetric-key cryptosystem, since Kdec can be easily deduced from Kenc, theyare collectively called the secret key.

We will now construct a mathematical notion of security as a uniform measurement of the strength ofeach cryptosystem. Specifically, we have the following [LMSV10]:

Definition 2.3. Let A be an adversary. Given a pre-defined security parameter ε, an (atk)-security gamefor a public-key cryptosystem is the following game:

Algorithm 1: (atk)-Security Game

Input: λ

Output: Result of the game

K ← KeyGen(1λ)

Send pk = Kenc to A

Stage One: (m0,m1, St1)← A(pk)

b← {0, 1}c = eK(mb)

Stage Two: b′ ← A(c, St2)

if b = b′ thenresult = WIN

elseresult = LOSE

return result

where Sti indicate that the possibility of polynomially-bounded number of encryptions and other computations,with additional access to a black box decryption oracle as dictated by atk. The advantage of an adversary towin the above game is defined as

AdvIND−atkA,ε,λ = |P (b = b′)− 1

2|

With this security game model, we can precisely capture the attacks that a cryptosystem might face. Thesecurity of a cryptosystem may therefore be formalised as follows:

Definition 2.4. A public-key cryptosystem is said to be indistinguishable under (atk) attack, denotedas IND-(atk), if given a pre-defined security parameter ε, there exists a function v : N → R such that aprobabilistic polynomially-bounded adversary has advantage

AdvIND−atkA,ε,λ < v(ε)

to win the (atk)-security game, where for any non-zero polynomial p ∈ R[x], ∃n ∈ N such that ∀m ≥ n,

|v(m)| < 1

|p(m)|

The following are some basic types of attacks:

1. Chosen plaintext attack: if atk dictates that A has no access to a decryption oracle, then atk = CPA.

2. Chosen non-adaptive ciphertext attack: if atk dictates that A has access to a decryption oracle only atstage one, then atk = CCA1.

3. Chosen adaptive ciphertext attack: if atk dictates that A has access to a decryption oracle in both stagesexcept when A queries the challenge ciphertext c, then atk = CCA2.


3 Introduction to Homomorphic Cyrptography

We will now give the formal framework of homomorphic cryptography and describe the necessary mathematicalbackground.

3.1 Homomorphisms

Let us recall the following definition:

Definition 3.1. Let A,B be algebras over a field F, and define ·X ,+X ,×X to be the scalar product, additionand product respectively in algebra X. A function f : A → B is an algebra homomorphism if ∀x, y ∈ A,∀k ∈ F,

1. f(k ·A x) = k ·B f(x)

2. f(x+A y) = f(x) +B f(y)

3. f(x×A y) = f(x)×B f(y)

In [RAD78], Rivest, Adleman and Dertouzos observed that one of the basic limitations of known cryptogra-phy at that time was that computations on encrypted data are not possible without first performing decryption.We have remarked that in the framework of modern cryptography, the message space M and the ciphertextspace C are algebraic structures, and the family E of encryption functions and D of decryption functions aremaps moving from one algebraic structures to another. In light of this remark, they considered the possibilityof introducing certain well-behaved structures on the encryption and decryption functions. Specifically, theyconsidered the possibility of introducing homomorphism into the encryption and decryption functions, so thatany computations on encrypted data will reflect a well-behaved response on the plaintext. This lead them tointroduced the notion of general privacy homomorphism in [RAD78].

Definition 3.2. LetU = (S, {f1, f2, · · · }, {p1, p2, · · · }, {s1, s2, · · · })U ′ = (S′, {f ′1, f ′2, · · · }, {p′1, p′2, · · · }, {s′1, s′2, · · · })

be algebraic systems, where S, S′ are sets of elements, fi, f′i are some operations, pi, p

′i are some predicate

functions, and si, s′i are some distinguished constants, for all i = 1, 2, · · · . An encoding function φ : U → U ′,

with the decoding function γ : U ′ → U such that γ ◦ φ = I, is a general privacy homomorphism if φ is ahomomorphism such that ∀i = 1, 2, · · · , ∀a, b, c, · · · ∈ S

1. f ′i(φ(a), φ(b), · · · ) = φ(c)⇒ fi(a, b, · · · ) = c

2. p′i(φ(a), φ(b), · · · ) ≡ pi(a, b, · · · )

Remark 3.1: One might note that this is slightly different from those that was presented in [RAD78].

Of course, in this form, we can’t really incorporate this notion of general privacy homomorphism intocryptographic uses. For example, one can just set U = U ′ and define φ = I = γ, the identity function. Rivestet al. proposed six additional properties that must be satisfied so that it is suitable for cryptographic uses:

1. φ and γ should be easily computable.

2. The operations f ′i and predicates p′i in C should be easily computable.

3. ∀x ∈ S, φ(x) should not require much more space than x.

4. IND-CPA: Possession of large number of φ(x) for many x ∈ S should not be sufficient to reveal γ.

5. IND-CCA1: Knowledge of x ∈ S and φ(x) for several x should not reveal γ.

6. Operations and predicates in C should not be sufficient to yield an efficient computation of γ.

When it was shown that there exists secure fully homomorphic cryptosystem (up to a certain level ofsecurity), the first three conditions became more interesting as they indicate the efficiency of the cryptosystem.


3.2 Homomorphic Cryptography

Of course the the notion of general privacy homomorphism in Definition 3.2 is very general indeed. We haveremarked that homomorphic cryptography is just a subset of general privacy homomorphism. For our purpose,we will use the following definition.

Definition 3.3. A fully homomorphic cryptosystem is a cryptosystem with (M, ·M,+M) and (C, ·C ,+C)both viewed as rings with specified ring operations, such that for any K ∈ K, ∀m1,m2 ∈M,

m1 +M m2 = dK(eK(m1) +C eK(m2))

m1 ·M m2 = dK(eK(m1) ·C eK(m2))

One might find that the above definition requires a strong structure to exist in the cryptosystem. Indeed,it wasn’t until quite recently when Gentry demonstrated a fully homomorphic cyrptosystem in [Gen09] that weare even sure that such a construct can exist. We instead settled for a cryptosystem with a weaker definitionfor applications that require some computations on encrypted data.

Definition 3.4. A partially homomorphic cryptosystem is a cryptosystem with (M, ·M) and (C, ·C) bothviewed as groups with specified group operations, such that for any K ∈ K, ∀m1,m2 ∈M,

m1 ·M m2 = dK(eK(m1) ·C eK(m2))

Partially homomorphic cryptosystem and fully homomorphic cryptosystem are two extreme classes at theends on a scale of the degree of homomorphism supported by the class of cryptosystem. There are indeed somemiddle ground, which are collectively defined as follows:

Definition 3.5. A somewhat homomorphic cryptosystem is a cryptosystem (M, ·M,+M) and (C, ·C ,+C)both viewed as rings with specified ring operations, which supports a limited number of ciphertext level ringoperations before decryption fails.

Some authors require additional criterion for a practical cryptosystem. Let pk be the public key, T the setof circuits supported by the cryptosystem, and ~c = (c1, · · · , ct) be a vector of ciphertexts. We define a functionEvaluate that takes as input pk, C ∈ T , and ~c, and outputs the circuit C applied to the ciphertexts. We candefine compactness:

Definition 3.6. A cryptosystem with Evaluate is said to be compact, if there exists a polynomial p such thatfor any security parameter λ, such that for any given circuit C ∈ T , for any possible key pair K = (sk, pk),and for any t plaintext m1, · · · ,mt with corresponding ciphertexts c1, · · · , ct (i.e. ci = epk(mi), ∀i ≤ t), thedecryption algorithm dsk can be expressed as a circuit of size at most p(λ).

Our discussion will be cryptosystems which are compact, so we will omit the above definition from our discussion.We will present a more in-depth treatment and introduce various cryptosystem later when we discuss the

practicality of each classes of homomorphic cryptosystem.

3.3 Security of Homomorphic Cryptosystems

As our emphasis is the practicality of the homomorphic cryptosystems, our accounts on the security of eachcryptosystems will not be complete. However, later discussions on the practicality of each classes of homomorphiccryptosystems will inherently involve some discussions about the specific security of each cryptosystems, as theprimary task of a cryptosystem is to ensure the security of our data.

4 Partially Homomorphic Cryptosystem

Almost every real world computation requires some combination of addition and multiplication to be carried out.Thus, for a cryptosystem to be able to perform homomorphic computations of encrypted data, strictly speakingit should possess both additive and multiplicative homomorphisms. In this light, partially homomorphic


cryptosystems do not seem to be strong enough to be implemented to perform any real world computationssecurely.

However, there are ways to reduce a specific operation when performing these computations. For example,under certain circumstances, the homomorphic multiplication operations between variables can be omitted,especially in a two party setting where the party who is performing the homomorphic computations is alsoproviding some of the variables. It turns out that by considering these reductions, partially homomorphiccryptosystems are sufficient for many private computations. Since partially homomorphic cryptosystems areless expensive to implement than fully homomorphic cryptosystems, they are indeed preferred whenever it ispossible. In particular, most of the recent schemes for private database computations between two parties onlyrequire that the underlying cryptosystem to be partially homomorphic, including the FNP private matchingand set intersection scheme by Freedman, Nisim and Pinkas in [FNP04] and the more recent BGHWW schemeby Boneh, Gentry, Halevi, Wang and Wu introduced in [BGH+13], which allows more general private databasequeries. We will present an informal list of the performance results of some of these schemes based on theauthor’s implementation of such schemes.

It is therefore not surprising that most current practical implementations of homomorphic cryptosystemare partially homomorphic cryptosystem. In fact, most implementations uses additively partially homomorphiccryptosystem, whereas multiplicative partially homomorphic cryptosystem are less often implemented. In thissection, we will discuss both of these cryptosystems and examine a major cryptosystem from both categories.

4.1 Multiplicative Partially Homomorphic Cryptosystem

Although there are relatively few multiplicative partially homomorphic cryptosystems that exists (cf. [Hen08]for a rather comprehensive list of these cryptosystems), these cryptosystems are in fact one of the first to beproposed and studied in the literature. We have remarked before that the basic unpadded RSA cryptosystem isknown to possess multiplicative homomorphism. One of the major cryptosystem in this class is what is knownas the ElGamal cryptosystem, introduced by ElGamal in [ElG85].

Let us define the following problems:

Definition 4.1. Let G be a cyclic group of order q, and let g ∈ G be a generator. The ComputationalDiffie-Hellman Problem, denoted as CDH, is the problem of calculating gab, given two group elementsga, gb ∈ G, without knowledge of a and b.

Definition 4.2. Let G be a cyclic group of order q, and let g ∈ G be a generator. Given two group elementsga, gb ∈ G, the Decisional Deffie-Hellman Problem, denoted as DDH, is the problem of distinguishingbetween gab and gc for some random integer c, without knowledge of a and b.

Both problems are related to the discrete logarithm problem (DLP) for groups. It is clear that a solutionto the DLP can be reduced to a solution to both the CDH and the DDH. While it is still unknown whether asolution to CDH can be reduced to a solution to DLP, it is known that there are some groups, e.g. an ellipticcurve group that supports a bilinear pairing, in which there exists a solution for DDH, but the solution cannotbe reduced to a solution for the DLP [Hen08].

With this, we can describe the ElGamal cryptosystem:

ElGamal Cryptosystem. Let G be a cyclic group of prime order q such that both CDH and DDH are hardin G, and let g ∈ G be a generator. The ElGamal cryptosystem is the six-tuple

(M = G, C = G×G,K = {(q, g, x, h); h ≡ gx mod q}, E ,D,R = Zq)

with the following algorithms:

KeyGen: Given a security perimeter ε,

KeyGen(ε)→ (g ∈ G, h = gx)

where G is a cyclic group of order ε-bit q, g a generator in G, and random x ∈ Zq. Return public keypk = (G, q, g, h) and secret key sk = (G, q, g, x).


Enc: Given a public key pk and a message m ∈M, epk ∈ E is defined as

epk(m) = (gy mod q,m · hy mod q)

for some random y ∈ R.

Dec: Given a secret key sk and a ciphertext c = (c1, c2) ∈ C, dsk ∈ D is defined as

dsk(c) =c2cx1

mod q

Correctness is easy to see: it is clear that if c = epk(m) = (gy mod q,m · hy mod q), then

dsk(c) =c2cx1

mod q

=m · hy

gxymod q

=m · (gx)y

gxymod q = m mod q

The security of the ElGamal cryptosystem can be framed in the following theorem, which will be statedwithout proof (cf. [Hen08] for a proof).

Theorem 4.1. Assuming CDH is hard, then the ElGamal encryption algorithms are not invertible by anadversary. Furthermore, if DDH is hard, then ElGamal ciphertexts are semantically secure.

Given two messages m1,m2 and it’s corresponding ciphertexts (c1, c′1), (c2, c

′2), then

(c1c2, c′1c′2) = (gy1gy2 mod q, (m1m2)hy1hy2 mod q)

which is a valid encryption of m1m2. Furthermore, if k is some constant, then,

(c1, kc′1) = (gy1 mod q, (km1)hy1 mod q)

(ck1 , (c′1)k) = (gky1 mod q,mk

1hky1 mod q)

which is a valid encryption of km1 and mk1 respectively, so ElGamal also supports such multiplicative operations.

Thus, ElGamal cryptosystem is indeed a multiplicative partially homomorphic cryptosystem.

The above cryptosystem is the original basic ElGamal cryptosystem. Many other variants of ElGamalcryptosystem exists, proposed to address different security concerns, such as the Cramer-Shroup cryptosystemthat also provides a IND-CCA2 security. Most of these variants however lose the multiplicative homomorphismproperty of the original ElGamal cryptosystem, and as such are left out of this discussion.

Although ElGamal cryptosystem possesses multiplicative homomorphisms, in practise it is less implementedinto current industrial applications. This is true with the entire class of multiplicative partially homomorphiccryptosystems in general, especially in a two party setting. This is mainly because in a two party setting, ingeneral one can reduce the number of multiplicative operations in a computational algorithm. One can thenthink of any expression as a polynomial. In fact, one can go further: by viewing variables that the computingparty provides as a constant (i.e. non-secret message), one can further reduce this polynomial expression into alinear combination of univariate polynomials with respect to the second party’s variables. In this reduction,only an additive and constant multiplicative homomorphism is needed. See section 4.2 for more details. Thus,a multiplicative partially homomorphic cryptosystem becomes ill-suited under such reductions, and hence isless favoured in such applications.


4.2 Additive Partially Homomorphic Cryptosystem

The state of art for additive partially homomorphic cryptosystems is very much different from multiplicativepartially homomorphic cryptosystems. For one, most additive partially homomorphic cryptosystems are verywell-studied. The Paillier cryptosystem and its various variants remain one of the most studied crypstosystemsin the field of homomorphic cryptosystem, and there exists extensive literature on the study of the Pailliercryptosystem [Pai99,DJ01,Jur03,SST05].

For the purpose of our discussion, perhaps more importantly is the fact that this class of homomorphiccryptosystem is the most implemented for industrial applications. In particular, the Paillier cryptosystem (orsome variant of the Paillier cryptosystem) is one of the most implemented homomorphic cryptosystem foractual industrial applications today. In fact, we have remarked in the previous section that an additive partiallyhomomorphic cryptosystem is sufficient for applications in a two party setting, and indeed most assume theunderlying cryptosystem to be the Paillier cryptosystem, e.g. schemes discussed in [FNP04] and [BGH+13].Thus, for the rest of this section, we shall focus on the Paillier cryptosystem.

The Paillier cryptosystem was first introduced in 1999 by Paillier in his paper [Pai99]. The Pailliercryptosystem is based on a rather unconventional computational problem, which is defined below, along withother preliminary definitions needed.

Definition 4.3. Let m, r ∈ Z, where m < r, and let y ∈ Zm. y is a r-th residue modulo m if there existsx ∈ Z∗m such that

y = xr mod m

We can then ask the following well-known problem:

Definition 4.4. The Weak r-th Residue Problem is the problem of determining whether y ∈ Z∗m is a r-thresidue modulo m.

Consider then the special case in which we are interested in the n-th Residue Problem in Z∗n2 , wheren = pq is the product of two large primes. In this special case, this problem is known as the CompositeResiduosity Problem, denoted as CR[n]. CR[n] is conjectured to be intractable.

Paillier showed the following in [Pai99]:

Lemma 4.1. For a fixed g ∈ Z∗n2 , define

Eg : Zn × Z∗n → Z∗n2

Eg(x, y) = gx · yn mod n2

If the order of g is a nonzero multiple of n, then Eg is bijective. Furthermore, let λ = lcm(p− 1, q − 1) be theCarmichael Function of n. If g is of order αn for some α ∈ {1, · · · , λ}, then x ∈ Zn is unique.

Then, we have the following:

Definition 4.5. Let g ∈ Z∗n2 , whose order is of αn for some α ∈ {1, · · · , λ}. For any w ∈ Z∗n2 , the n-thresiduosity class of w with respect to g is the unique x ∈ Zn such that there exists y ∈ Z∗n satisfying

w = gx · yn mod n2

We denote the n-th residuosity class of w with respect to g as [w]g.

And thus, we have the following computational problem.

Definition 4.6. Let g ∈ Z∗n2 , whose order is of αn for some α ∈ {1, · · · , λ}. The n-th Residuosity ClassProblem of Base g, denoted as Class[n, g], is the computational problem of computing the class function[w]g for some w ∈ Z∗n2 .

Paillier further showed that we can reduce this problem in the following way.


Theorem 4.2. Class[n, g] is random-self-reducible over both g ∈ Z∗n2 , whose order is of αn for some α ∈{1, · · · , λ}, and w ∈ Z∗n2 .

Thus, the difficulty of the n-th Residuosity Class Problem depends only on n, and hence are usuallyrestated as Composite Residuosity Class Problem and denoted as Class[n]. It is this problem that becomesthe foundation for the original Paillier cryptosystem. Class[n] is conjectured to be intractable. As before, wealso have the decisional version of the problem.

Definition 4.7. Let g ∈ Z∗n2 , whose order is of αn for some α ∈ {1, · · · , λ}. Given w ∈ Z∗n2 , x ∈ Zn, theDecisional n-th Residuosity Class Problem, denoted as D − Class[n], is the computational problem ofdeciding whether

[w]g = x

We will need the following number-theoretic results.

Theorem 4.3. Let g ∈ Z∗n2 , whose order is of αn for some α ∈ {1, · · · , λ}. Define the set

Sn = {u ∈ Zn2 ; u = 1 mod n}

Define the function

L(x) =x− 1

nmod n

Then, ∀w,w1, w2 ∈ Z∗n2 , the following is true

1. [w1w2]g = [w1]g + [w2]g mod n

2. For h ∈ Z∗n2 , whose order is of βn for some β ∈ {1, · · · , λ},

[w]h = [w]g[g]h mod n

3. [w]g = 0⇔ w is a n-th residue modulo n2

4. L(wλ mod n2) = λ[w]1+n mod n

Proof. Let [w]g = x, [w1]g = x1, [w2]g = x2. We can write

w1w2 = (gx1yn1 )(gx2yn2 ) mod n2

= gx1+x2(y1y2)n mod n2

and since y1y2 ∈ Z∗n,[w1w2]g = x1 + x2 = [w1]g + [w2]g mod n

which proves 1. Now, for h ∈ Z∗n2 , there exists a (z, r) ∈ Zn × Z∗n such that

g = hzrn mod n2

Therefore,w = gxyn = (hzrn)xyn = hxz(rxy)n mod n2

⇒ [w]h = xz = [w]g[g]h mod n

as required by 2. For 3 both implications are clear. Now, the function L is clearly well-defined, and that1 + n ∈ Z∗n2 is of order n. Suppose w = (1 + n)xyn mod n2. Then,

L(wλ mod n2) = L((1 + n)λxyλn mod n2)

= L((1 + n)λx mod n2)

= L(1 + λxn mod n2)

=1 + λxn− 1

nmod n

= λx mod n

= λ[w]1+n mod n

which proves 4.


This theorem includes all the major number-theoretic properties for the Paillier cryptosystem. In particular,property 1 shows that

[·]g : (Z∗n2 ,×)→ (Zn,+)

is a homomorphism for any suitable g. Thus, [·]g is a suitable decryption function for a potential additivepartially homomorphic cryptosystem. Paillier also showed in [Pai99] that by property 4, the hardness of theFactoring Problem, Fact[n], implies the hardness of Class[n]. It is still an open question whether the reverseimplication is also true.

With the above theorem, we can now describe the Paillier cryptosystem.

Paillier Cryptosystem. Let n = pq for some large primes p and q, and let λ = lcm(p− 1, q − 1). Define thefunction

L(x) =x− 1

nmod n

The Pailler cryptosystem is the six-tuple

(M = Zn, C = Z∗n2 ,K = {(n, p, q, λ, g; g ∈ Z∗n2 and gcd(L(gλ mod n2, n) = 1)}, E ,D,R = Zn)



KeyGen(ε)→ (g ∈ Z∗n2 ; gcd(L(gλ mod n2, n) = 1)

where n = pq, for ε2 -bit prime p and q, and λ = lcm(p − 1, q − 1). Return public key pk = (n, g) and

secret key sk = (p, q, λ).


epk(m) = gmyn mod n2

for some random y ∈ R.

Dec: Given a secret key sk and a ciphertext c ∈ C, dsk ∈ D is defined as

dsk(c) =L(cλ mod n2)

L(gλ mod n2)mod n

Correctness of the decryption is a direct implication of Theorem 4.3: if c = epk(m) = gmyn mod n2, thenby Theorem 4.3,

dsk(c) =L(cλ mod n2)

L(gλ mod n2)mod n

=λ[c]1+nλ[g]1+n

mod n

=λ[c]g[g]1+nλ[g]1+n

mod n

= [c]g

= m

As before, the following theorem describes the security of the Paillier cryptosystem.

Theorem 4.4. Assuming Class[n] is hard, then the Paillier encryption algorithms are not invertible by anadversary. Furthermore, Paillier ciphertexts are semantically secure if and only if D − Class[n] is hard.


Given two messages m1,m2 with the corresponding ciphertexts c1, c2, then

c1c2 = gm1yn1 · gm2yn2 = gm1+m2(y1y2)n mod n2

which is a valid encryption of m1 +m2. Constant multiplication is also preserved: let k be a constant, then

ck1 = gkm1yn1 mod n2

which is a valid encryption of km1. Hence, Paillier cryptosystem is indeed an additive partially homomorphiccryptosystem.

There exists many variants of the Paillier cryptosystem, with different goals in mind. For one, in orderto speed up the decryption algorihtm, the Fast Decryption Variant is introduced by Paillier by setting theencryption of a message m to be

c = gm+nr mod n2

and setting the private key to be (p, q, α), where αn is the order of g. Then, the decryption algorithm is

m =L(cα mod n2)

L(gα mod n2)mod n

Since α ∈ {1, · · · , λ}, the decryption algorithm will be more efficient than those in the original scheme.Additionally, all the homomorphic properties of the orginal Paillier cryptosystem is inherited. Another variant isthe Damg̊ard-Jurik cryptosystem, introduced by Damg̊ard and Jurik in their paper [DJ01]. The Damg̊ard-Jurikcryptosystem is in fact a generalisation of the original Paillier cryptosystem, by considering M = Zns andC = Z∗ns+1 . It is known that in this setting, the ciphertext expansion rate is s+1

s . Thus, the original Pailliercryptosystem has a ciphertext expansion rate of 2, a reasonably efficient rate. In theory it is possible tomake the ciphertext expansion rate to be arbitrarily close to 1, but this makes the encryption and decryptionalgorithms more expensive to compute.

4.3 Problem Reduction Method

Additive partially homomorphic cryptosystems seemed to fall short of being practical in industrial applications,as most computations require some multiplicative operations. We have however remarked previously, especiallyin a two party setting, in practice one can reduce the amount of, or sometimes eliminate, multiplicativeoperations in a computational expression.

Let ~a = (a0, a1, · · · , am) be Alice’s variables and ~b = (b0, b1, · · · , bn) be Bob’s variable. Consider thefollowing generic computational expression:

f(~x, ~y) =∑l≤k

clgl(~x, ~y)

where ∀l ≤ k,

gl(~x, ~y) =∏i≤m

xdlii ·∏j≤n

yeljj

In theory, one will require the cryptosystem to be fully homomorphic, or somewhat homomorphic supportinga suitable amount of multiplicative and additive operations, in order to compute f privately. However, supposeBob is computing f . One will immediately realise that Bob need not encrypt his variables ~b. This immediatelyeliminates some multiplicative operations in f , reducing it to an expression on ~x of the form

f(~x) =∑l≤k

Cl

∏i≤m

xdlii

where

Cl = cl∏j≤n

yeljj


Furthermore, suppose f is not secret. Then, instead of naively encrypting ~a and send these encryptions toBob, Alice can instead compute each

∏i≤m a

dlii and send the encrypted results

~ea =

epk∏i≤m

ad1ii

, · · · , epk

∏i≤m

adkii

Hence, f can be further reduced to

f(~z) =∑l≤k

Clzl

In this reduced form, a cryptosystem which supports additive and constant multiplicative homomorphism issufficient to securely compute f .

The above stated assumptions to derive a reduced form of a generic computational expression in a two partysetting is quite reasonable in practice. Indeed, often times the computational expression is a publicly knownformula. In light of this fact, many of the recent literatures on the implementation of homomorphic cryptographyfor two party private computing only require the underlying cryptosystem to be additive partially homomorphic.Most explicitly assumed the underlying cryptosystem to indeed be the original Paillier cryptosystem. Recentexamples are the efficient FNP private set matching and set intersection methods of Freedman et al., describedin [FNP04], and the general private database query BGHWW scheme of Boneh et al., desribed in theirpaper [BGH+13]. See Section 7 for some informal performance results of the implementation of FNP withPaillier cryptosystem.

5 Somewhat Homomorphic Cryptosystem

While the class of partially homomorphic cryptosystems are well-known and well-studied, it wasn’t until quiterecently that a cryptosystem that exhibits both additive and multiplicative homomorphisms, even if it onlysupport a limited number of these homomorphisms, is known to exist. In 2005, Boneh, Goh and Nissimconstructed the first somewhat homomorphic cryptosystem in their paper [BGN05], thus showing that such aclass of cryptosystem do indeed exist.

Even though somewhat homomorphic cryptosystems still fall short of being fully homomorphic, it never-theless enhances the capabilities and the practicality of homomorphic cryptography, hence accounting furtherfor certain more general multi-party settings of previously considered problem, besides enlarging the class ofcomputational expression that can be securely computed using homomorphic cryptography. In fact, as shownin [NLV11], one might be able to argue that this may be sufficient for most actual computation that mightrequire homomorphic cryptography, as it is often the case that the number of additive and multiplicativeoperations in the computation are bounded and known beforehand.

In terms of practicality, at the current state of the art, somewhat homomorphic cryptosystems offer amore superior efficiency when compared to fully homomorphic cryptosystems. Although the efficiency hasvastly improved for fully homomorphic cryptosystems, especially with recent schemes which deviate from theGentry’s blueprint (see Section 6 for more details), in general most implementations of somewhat homomorphiccryptosystems are still more efficient. For a detailed discussion of the performance of the class of somewhathomomorphic cryptosystems, we refer the readers to [NLV11].

In this section, we will examine the BGN cryptosystem.

5.1 The BGN Cryptosystem

The BGN cryptosystem, introduced by Boneh et al. in their paper [BGN05] is a powerful cryptosystem whichsupports an arbitrary amount of additions and one multiplication, possibly followed by arbitrary amount ofadditions. The BGN cryptosystem is based on the Paillier cryptosystem, which is where it derives its additivehomomorphism. In fact, one can view the BGN cryptosystem as a modified Elliptic Curve Paillier cryptosystem,as defined by Galbraith in [Gal02]. Whilst Galbraith’s Elliptic Curve Paillier cryptosystem do not support


multiplicative homomorphism, Boneh at al. showed with their cryptosystem how one can modified the EllipticCurve Paillier to support one multiplication.

Let us recall the following definition:

Definition 5.1. Let G and G1 be two multiplicative cyclic groups of order n, and let g ∈ G be a generator. Amap e : G×G→ G1 is bilinear if ∀x, y ∈ G, a, b ∈ Z, we have that

e(xa, yb) = e(x, y)ab

and e(g, g) is a generator in G1.

Remark 5.1: Note that in practice, we also require that e and the group action on G,G1 to be polynomial timecomputable.

Boneh et al. showed in [BGN05] how one can construct a suitable bilinear group G and G1 of order n.The method results in the generation of a elliptic curve group equipped with the modified Weil pairing.

As usual, the security of the BGN cryptosystem is based on a computational problem.

Definition 5.2. Let n = pq for some distinct odd primes p and q. The p-Subgroup Decision Problem isthe computational problem of deciding whether a random element x ∈ G has order of p.

With this, we can define the BGN cryptosystem.

BGN Cryptosystem. Let n = pq for some large primes p and q, and let G,G1 be two multiplicative cyclicgroups with order n, with g, u ∈ G a generator and e a bilinear map as defined before. Set h = uq, so h is arandom generator of subgroup of G of order p. Let T < q. The BGN cryptosystem is the seven-tuple

(M = ZT , C = G, C′ = G1,K = {(n, p, q, T,G,G1, e, g, h}, E ,D,R = Zn)



KeyGen(ε)→ (G,G1, g ∈ G, h = uq, e : G×G→ G1; order of G,G1 is n)

where n = pq, for ε2 -bit prime p and q, and e is bilinear. Return public key pk = (n, g, h,G,G1, e) and

secret key sk = p.


epk(m) = gmhr mod n

for some random r ∈ R.

Dec: Given a secret key sk and a ciphertext c ∈ C, dsk ∈ D is defined as

dsk(c) = loggp(cp mod n) = loggp((gp)m mod n)

by e.g. Pollard’s kangaroo method of computing discrete logarithm.

Correctness of the decryption algorithm is clear, and the following theorem is proved in [BGN05].

Theorem 5.2. The BGN cryptosystem is semantically secure if the p-subgroup problem is hard in G.

While it is easy to see that the additive homomorphism of the cryptosystem follows essentially as in thePaillier cryptosystem, its multiplicative homomorphism is derived differently, using the bilinear map e. Given


two messages m1,m2 with the corresponding ciphertexts c1, c2. Now, observe that h = gaq for some unknowna. Let r ∈ R and compute

c′ = e(c1, c2)e(g, h)r

= e(gm1hr1 , gm2hr2)e(g, h)r

= e(g, g)m1m2e(g, h)m1r2e(g, h)m2r1e(h, h)m2r2e(g, h)r

= e(g, g)m1m2e(g, h)m1r2+m2r1+re(gaq, h)m2r2

= e(g, g)m1m2e(g, h)m1r2+m2r1+r+aqm2r2

= e(g, g)m1m2e(g, h)R ∈ C′

where R = m1r2 +m2r1 + r + aqm2r2. Now modify the decryption to

d′sk(c′) = loge(g,g)p((c′)p mod n) = loge(g,g)p((e(g, g)p)m1m2 mod n)

which yields m1m2. Observe that the additive homomorphism still holds in C′ = G1.For efficiency, one will like to be able to base the BGN cryptosystem on a prime-order group instead of

a composite-order group. However, this may be jeopardising the security of the cryptosystem, due to DDHbeing easy in certain bilinear groups. Freeman showed in [Fre10] how one can convert a cryptosystem withcomposite order group such as the BGN cryptosystem into a prime order group without losing the securityof the cryptosystem. In terms of performance, even with this and other optimisations, Lautner, Naehrig andVaikuntanathan reported in [NLV11] that the BGN cryptosystem will perform at best comparable to theBrakerski-Vaikuntanathan (BV) cryptosystem, another somewhat homomorphic cryptosystem. We will seelater that the central ideas behind the BV cryptosystem is used extensively in constructing more efficient fullyhomomorphic cryptosystems.

Moreover, the BGN cryptosystem has a unusually small message space, due to the need to compute discretelogarithms [BGN05]. This is highly inconvenient for industrial implementations, as we usually require thecryptosystem to have a sufficiently large message space to encompass all possible plaintexts that may arise inour use case.

This, coupled with the unfavourable efficiency result, plagued BGN to being just a theoretical curiosityrather than being implemented across the industry. Nevertheless, the BGN cryptosystem is important asit revealed significant insight in the hunt for an efficient fully homomorphic cryptosystem, and indicated toresearchers that perhaps the fully homomorphic cryptosystem may just be possible. In fact, we will see in thenext section that a vast majority of existing fully homomorphic cryptosystems are derived from some somewhathomomorphic cryptosystem.

6 Fully Homomorphic Cryptosystem

Given the applicability of partially and somewhat homomorphic cryptosystems, even when they only supportgroup homomorphism or a limited number of ring homomorphisms, it is clear that a fully homomorphiccryptosystem, which supports ring homomorphisms, has immense applicable value across the industry. Before2009, the question then is whether such cryptosystem exists.

The Gentry cryptosystem, first described in Gentry’s famed thesis [Gen09], is a truly remarkable break-through in homomorphic cryptography, showing that indeed fully homomorphic cryptosystem exists. Motivatedby ideas presented in the introduction of somewhat homomorphic GGH cryptosystem by Goldreich, Goldwasser,and Halevi, the Gentry cryptosystem is based on problems in ideal lattices [Wei13].

Unfortunately, Gentry cryptosystem is extremely complex, and it is extremely inefficient. Gentry cryp-tosystem has been known to be infeasible for implementation even when it was first introduced. One might askthe question: Are all fully homomorphic cryptosystem doomed to be infeasible for practical implementation?

Perhaps not. Gentry’s thesis not only provides us with the first fully homomorphic cryptosystem, itactually provides us with a general blueprint in which one can construct a fully homomorphic cryptosystemfrom suitable somewhat homomorphic cryptosystem. The blueprint, known as Gentry blueprint, has ledto the construction of many recent fully homomorphic cryptosystems, each more efficient than the last. In


fact, the development of some recent cryptosystems suggests that we may not be far from discovering a fullyhomomorphic cryptosystem which is practically implementable. We will look at the most recent of thesecryptosystems, the BGV cryptosystem by Brakerski, Gentry and Vaikuntanathan [BGV12], later in this section.

We will first describe some mathematical concepts needed for the construction of fully homomorphiccryptosystems.

6.1 Mathematics of Fully Homomorphic Cryptosystems

Here we will describe the necessary mathematical background needed to state Gentry’s Bootstrapping Theoremand the Gentry blueprint for the construction of fully homomorphic cryptosystem. Consider Definition 3.3.One might observe that the definition given may be too strong to be fulfilled completely. For example, what ifwe have a homomorphic cryptosystem that supports homomorphisms up to an arbitrary but predefined depth?Intuitively, we can see that these cryptosystems are much stronger than somewhat homomorphic cryptosystems,and that they are almost a fully homomorphic cryptosystem themselves. However, Definition 3.3 excludes thesecryptosystems. Here we present a relaxation of the definition.

Definition 6.1. A leveled fully homomorphic cryptosystem is a cryptosystem with (M, ·M,+M) and(C, ·C ,+C) both viewed as rings with specified ring operations, such that for any depth d ∈ Z+, K ∈ K,∀m1,m2 ∈M, the cryptosystem can support the following homomorphisms

m1 +M m2 = dK(eK(m1) +C eK(m2))

m1 ·M m2 = dK(eK(m1) ·C eK(m2))

up to depth d.

How can we then construct such cryptosystems? Remarkably, Gentry is able to prove a powerful result whichgives us a generic way of constructing leveled fully homomorphic cryptosystems from somewhat homomorphiccryptosystem. This generic construction is known as the Gentry blueprint. At the heart of this construction isthe following definitions.

Definition 6.2. The set TD of augmented decryption circuits of a homomorphic cryptosystem is the set oftwo circuits taking two secret keys and two corresponding ciphertext. The first circuit decrypts the two circuitsand outputs sum of the resulting plaintexts mod 2. The second circuit decrypts the two ciphertexts and thenoutputs the product of the resulting mod 2.

Definition 6.3. Let T be the set of circuits supported by a somewhat homomorphic cryptosystem, and let TD bethe set of augmented decryption circuits. A somewhat homomorphic cryptosystem is said to be bootstrappableif TD ∈ T .

Informally, the set of augmented decryption circuits indicates the behaviour of the homomorphismsof the cryptosystem under two secret keys, and gives a “hint” as to how one can “uniformly” convert thehomomorphisms of the cryptosystem under the two secret keys to a new secret key. Thus, bootstrappabilityis the property that we can remould a cryptosystem to a new secret key, when the current secret keys hasexpired the homomorphisms supported by the cryptosystem, causing the noise generated while performing thesecure computation under the old secret key to be reverted back to the original level. This idea of refreshingthe ciphertexts is central to what is known as the noise management and the key switching technique in theblueprint, giving the Refresh algorithm in these constructions.

With this, Gentry proved the Gentry’s Bootstrapping Theorem in [Gen09].

Gentry’s Bootstrapping Theorem. A cryptosystem which is bootstrappable with respect to a set of gates Γcan be tranformed into a cryptosystem capable of compactly evaluating all circuits of depth at most d with gatesin Γ. Specifically, if Γ is a universal set of gates, then the cryptosystem can be transformed into a leveled fullyhomomorphic cryptosystem.

Gentry framed the security of these construction with the following theorem.


Theorem 6.1. If a boostrappable cryptosystem is semantically secure, so is its corresponding leveled fullyhomomorphic cryptosystem obtained from bootstrapping.

In particular, if one is willing to assume the bootstrappable cryptosystem is Key-Dependent Management(KDM) secure, then the resulting leveled fully homomorphic cryptosystem is semantically secure.

Brakerski et al. observed in [BGV12] that somewhat homomorphic cryptosystems tend not to be able tosupport its own augmented decryption circuits TD. To overcome this, Gentry introduced a technique known assquashing. Namely, we squash the decryption circuit of the homomorphic cryptosystem by adding a “hint”to the public key, transforming the cryptosystem to another with the same homomorphic capacity but witha bootstrappable decryption circuit. See [Gen09] for detailed discussion of squashing. We remark that thesecurity of this technique is based on the Sparse Subset Sum Problem, i.e. it is infeasible to compute a largeset with a secret sparse subset that sums to the secret key without knowing secret sparse subset.

However, fully homomorphic cryptosystems that follow the Gentry blueprint suffer from poor efficiency.The main reason for this poor performance is because bootstrapping is extremely expensive to compute,inherently at least the complexity of decryption times the bit-length of individual ciphertexts that are used toencrypt the bits of the secret key. Furthermore, the undesired properties of known somewhat homomorphiccryptosystems cause the real cost of bootstrapping to be much worse than quadratic, as bootstrapping involvesevaluating the decryption circuit homomorphically [BGV12]. If bootstrapping is the only way to construct aleveled fully homomorphic cryptosystem, this may seem to suggest that fully homomorphic cryptosystem maynot ever be efficiently implemented.

Fortunately, there are other ways of constructing a leveled fully homomorphic cryptosystem. Recently, Gen-try and Halevi, and Brakerski and Vaikuntanathan, independently constructed different ways to construct fullyhomomorphic cryptsystems without using squashing. In particular, the ideas in the Brakerski-Vaikuntanathancryptosystem are utilised in the most recent cryptosystem introduced by Brakerski et al. in [BGV12], which isalready a leveled fully homomorphic cryptosystem without boostrapping. We will describe the BGV cryptosystemnext.

6.2 Without Bootstrapping: The BGV Cryptosystem

In this section, we will adopt the notations used in [BGV12]. Let R be the following ring

R = Z[x]/

(xd + 1)

and define Rq = R/qR for some prime q. Let 〈, 〉 denote the “natural” inner product in Rnq , that is given

~x, ~y ∈ Rnq , then

〈~x, ~y〉 =n∑k=1

xkyk

We denote the flooring and ceiling function as b·c, d·e respectively.To construct the BGV cryptosystem, we will need a computational problem to underpin the security of

the cryptosystem.

Definition 6.4. Given the security parameter ε, let n be an integer dimension, d a power of 2, and q a prime

integer, all of which depends on ε. Define f(x) = xd + 1, and define the rings R = Z/

(f(x)) and Rq = R/qR .

The General Learning with Error Problem, denoted by GLWE(n, f, q, ε), is the problem of distinguishing(~a, bi), drawn uniformly from Rn+1

q , and (~a, 〈~a,~s〉+ e), where ~a,~s are drawn uniformly from Rnq and e are drawnfrom χ.

Note that when d = 1, the above problem becomes the Learning with Errors (LWE) problem. In contrast,when n = 1, the problem becomes the Ring Learning with Errors (RLWE) problem. These two problems arewell-studied in the literature, especially by Lyubaskevsky, Peikert and Regev, who pioneered and first studiedboth problems. Other instants of the problem where both n and d are not 1 are yet to be studied by anyone,so are less emphasised.

We can now describe the BGV cryptosystem.


BGV Cryptosystem. Let b be a bit that decides whether we are setting the parameters with d = 1 or n = 1(corresponding to LWE and RLWE respectively). Let L be the level (or depth) of the circuit to be supported.For each j = L, · · · , 0, choose a (j + 1)µ bit prime qj, where µ is dependent on the security parameter ε and b,let nj be a integer dimension, and choose d, χ, f accordingly (independent of j). Let p be another prime, letN = d(2n+ 1) log qe, and let R be the ring as described above. The BGV cryptosystem is the six-tuple

(M = Rp, (Cj = Rnj+1qj × Z)Lj=0,K = {((sj = (1, ~sj))

Lj=0, (Aj =

[bj −Aj

])Lj=0)}, E ,D,R = RNp )


KeyGen: Given a security perimeter ε, for j = L, · · · , 0,

(a) Choose ~sj ∈ χnj and let sj = (1, ~sj). Choose Aj ∈ RN×njqj and ej ∈ χN . Let bj = Aj~sj + pej, and

set Aj =[bj −Aj

]∈ RN×(nj+1)

qj

(b) Set s′j = sj ⊗ sj ∈ R(nj+1

2 )qj

(c) Set s′′j = (u0, · · · , ublog qjc), where

s′ =

blog qjc∑k=0

ukpk

(d) Set T =[β −T

], where T ∈ Rnj+1blogqjc×nj

qj and xj ∈ χnj+1blogqjc. Let β = T~sj + pxj

(e) Set τs′′j+1→sj = T +[y 0 · · · 0

], where y = (s′′j+1, s

′′j+1p, · · · , s′′j+1p

blogqj+1c), except when j = L

Return public key pk = (Aj , τs′′j+1→sj )Lj=0 and secret key sk = (sj)Lj=0.


epk(m) = (m + ATLr, L)

for m =[m 0 · · · 0

]∈ RnL+1

qL and some random r ∈ R.

Dec: Given a secret key sk and a ciphertext c = (c, j) ∈ Cj, dsk ∈ D is defined as

dsk(c) = (〈c, sj〉 mod qj) mod p

Refresh: Given a ciphertext c = (c, j) ∈ Cj reinterpreted as encrypted under s′j = sj ⊗ sj (specifically, append zerosat the end of c until it is the same length as s′j), the ciphertext refreshing algorithm Refreshpk(c) doesthe following

(a) c1 = (c, cp, · · · , cpblogqj+1c)

(b) Set c2 to be the closest vector toqjqj−1

c1 such that

c2 = c1 mod p

Note that c2 is a ciphertext under key s′′j for modulus qj−1

(c) Output ((w0, · · · , wblog qj−1c) · τs′′j→sj−1, j − 1), where

c2 =

blog qj−1c∑k=0

wkpk


See [BGV12] for a detailed proof of the cryptosystem’s correctness and its semantic security. Note howeverthat Lemma 1 and 4 in [BGV12] are incorrect as stated and are corrected by Weir in [Wei13].

Given two messages m1,m2 with the corresponding ciphertexts c1 = (c1, j1), c2 = (c2, j2). We can assumethat both ciphertexts are under the same secret key sj , as we can apply Refreshpk algorithm to refresh theciphertexts reinterpreted as above if they are not. Thus, without loss of generality, we can consider insteadc1, c2. Then,

c′ = c1 + c2 mod qj =[m1 0 · · · 0

]+[m2 0 · · · 0

]+ATj (r1 + r2) mod qj

=[m1 +m2 0 · · · 0

]+ATj (r1 + r2) mod qj

Recast c′ by appending zeros to it until it has the same length as s′j = sj ⊗ sj , so c′ can be interpreted as aciphertext under s′j . Apply Refreshpk((c′, j)) to obtain the encryption of m1 +m2. Likewise, proceed with

the set-up as before, and let L~y(~x) = 〈~y, ~x〉, where ~x, ~y ∈ Rnj+1qj . Then,

c∗ =(a1, · · · , a(nj+2

2 )

)where

Lc1(~x)Lc2(~x) =

(nj+1

2 )∑i=1

ai(~x⊗ ~x)i

and apply Refreshpk((c∗, j)) to get the encryption of m1m2. Brakerski et al. showed that the above twooperations are indeed the required additive and multiplicative homomorphisms respectively, if the noiseproduced, which is bounded above, has a suitable bound (see Lemma 5, 6 in [BGV12]).

In terms of its efficiency, the BGV cryptosystem provides a remarkable improvement in performancecompared to any of its predecessors. In June 2012, by employing the Smart-Vercauteren ciphertext packingtechniques [SV11] and the Gentry-Halevi-Smart optimizations [GHS12], Gentry, Halevi and Smart implementeda variant of the BGV cryptosystem which can encrypt the entire ten rounds of AES under 36 hours, andthe SIMD ciphertext packing allows 54 such AES blocks to be computed in parallel in this time period. InNovember 2012, Halevi and Shoup published a paper detailing how one can implement a variant of the BGVcryptosystem [HS12]. [HS12] became the basis of HElib, a BGV cryptosystem implementation library by Haleviin C++ using the NTL library, available on GitHub. An informal performance result of HElib is presented inthe next section.

7 Informal Performance Results

In this section, we present an informal set of performance results of various schemes, based on the author’simplementation of these schemes. Unless otherwise stated, all tests were conducted on a Linux 32-bit virtualmachine (hence the informality), with the 64-bit host machine having 4GB of RAM, running on Intel (R) DualCore i5-2520M at 2.5GHz each and thus have 4 logical processors. All implementations are optimised to utiliseall 4 logical processors where possible.

For the Paillier cryptosystem, we implemented the cryptosystem by using John Bethencourt’s C imple-mentation with GMP library, available from the Advanced Crypto Software Collection (ACSC). We used thecryptosystem to securely calculate the generic formula

∑i aixi, where the xis are kept encrypted. We get the

following results when securely computing for 25 encrypted variables for an instance with key size of 1024-bit:

Algorithm Total time Average TimeEncryption 0.292s 11.68msSecure Computation (Addition and Constant Multiplication) 0.162s 6.48msDecryption 0.057s 2.28ms

For our FNP scheme, we utilise a very simplistic bin allocation algorithm by performing modular arithmetic,and we used a simple bin balancing strategy, which is to move to the next bin if the current bin is full. We


limit each of our bin size to be at most 3. We perform our set intersection by homomorphically computingepk(rP (y) + y), where P is the bin polynomial with roots being elements in the bin. For this test, we ran ourFNP implementation on a 64-bit Linux server, with 32GB of RAM, running on 8 Intel (R) Xeon (R) CPUX7460 processors at 2.66Ghz each and thus having 16 logical processors. Based on these specifications, ourFNP scheme with Paillier cryptosystem yields the following result:

Database Size Encryption Set Intersection Computation Decryption10,000 26s 25s 5s1,000,000 32m 10s 28m 27s 1hr 35m 41s

We remark that the set intersection computation and subsequently decryption can be made to run muchfaster if we instead compute epk(P (y)), which decrypts to 0 is the record y is in the set intersection. We havealso found this scheme to be experimentally more efficient than a hidden vector encryption scheme, when wemodified FNP to incorporate broader database queries, much like the BGHWW scheme.

Finally, we present the performance result of HElib, performed over 1000 times, with plaintext modulusp = 3907, each ciphertext has a number of slots to hold a number of ciphertexts, and computation consists ofone addition and one multiplication operation for different levels L:

L Slots Encryption Avg Time Computation Avg Time Decryption Avg Time4 42 11m 7.51s 220ms 6.28s 6.28ms 2m 30.19s 150ms6 24 16m 7.92s 320ms 10.27s 10.27ms 3m 27.42s 210ms8 9 9m 31.69s 190ms 17.73s 17.73ms 1m 30.11s 90ms10 112 49m 1.29s 980ms 28.15s 28.15ms 10m 29.98s 630ms12 112 53m 20.757s 1.07s 33.78s 33.78ms 10m 52.08s 650ms14 300 70m 3.924s 1.40s 43.26s 43.26ms 14m 37.5s 650ms16 22 41m 55.956s 830ms 1m 0.9s 60.9ms 9m 0.12s 540ms18 22 45m 1.355s 900ms 1m 8.45s 68.45ms 9m 40.39s 580ms20 720 3hr 27m 21.22s 4.15s 1m 35.45s 100ms 37m 1.69s 2.22s

8 Conclusion

The state of art in homomorphic cryptography is certainly promising for researchers and industry players alike.Not only do we have a fully homomorphic cryptosystem, but more importantly we now have a general ideaon how we can possibly construct an efficient implementable fully homomorphic cryptosystem. Of course,currently known cryptosystems are yet to be implementable for industrial uses, but it is hoped that futureresearch, particularly with HElib, will soon yield the “holy grail” we have been looking: a truly practical fullyhomomorphic cryptosystem.

Another open problem which was posted in [BGV12] is the strength of the assumptions underlying thefully homomorphic cryptosystems. All current cryptosystems utilises the hardness of short vector problems onlattices with a subexponential approximation factor. Brakerski et al. then asked whether we can base fullyhomomorphic cryptosystem on polynomial hardness problems. It is still currently unknown if this is possible.

Acknowledgements

The author of this paper wishes to express gratitude to Dr. Yassir Nawaz, Fellow of the Privacy & Security groupin Pitney Bowes, for the wonderful opportunity to work under his mentorship and his proposal of homomorphiccryptography as a focus of my work as a student intern in Pitney Bowes, upon which this expository paper isbased on. His flexibility in allowing me to pursue the study of homomorphic cryptography and his guidancethroughout my time here in Pitney Bowes has been really encouraging, as are the many discussions between usproved insightful and helpful. The author will also like to thank Dr. Femi Olumofin, Project Engineer in thePrivacy & Security group in Pitney Bowes, for allowing the author to run performance benchmarking tests onhis Linux server and for providing valuable assistance in helping the author with the necessary configurations.


References

[BGH+13] Dan Boneh, Craig Gentry, Shai Halevi, Frank Wang, and David J. Wu, Private database queriesusing somewhat homomorphic encryption, Cryptology ePrint Archive, Report 2013/422, 2013,http://eprint.iacr.org/.

[BGN05] Dan Boneh, Eu-Jin Goh, and Kobbi Nissim, Evaluating 2-DNF formulas on ciphertexts,Theory of cryptography, Springer, 2005, pp. 325–341.

[BGV12] Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan, Fully homomorphic encryptionwithout bootstrapping, Innovations in Theoretical Computer Science (ITCS’12), 2012, Availableat http://eprint.iacr.org/2011/277.

[DJ01] Ivan Damg̊ard and Mads Jurik, A generalisation, a simplification and some applications ofPaillier’s probabilistic public-key system, Public Key Cryptography, Springer, 2001, pp. 119–136.

[ElG85] Taher ElGamal, A public key cryptosystem and a signature scheme based on discretelogarithms, Information Theory, IEEE Transactions on 31 (1985), no. 4, 469–472.

[FNP04] Michael J Freedman, Kobbi Nissim, and Benny Pinkas, Efficient private matching and setintersection, Advances in Cryptology-EUROCRYPT 2004, Springer, 2004, pp. 1–19.

[Fre10] David Mandell Freeman, Converting pairing-based cryptosystems from composite-ordergroups to prime-order groups, Advances in Cryptology–EUROCRYPT 2010, Springer, 2010,pp. 44–61.

[Gal02] Steven D Galbraith, Elliptic curve Paillier schemes, Journal of Cryptology 15 (2002), no. 2,129–138.

[Gen09] Craig Gentry, Fully homomorphic encryption using ideal lattices, Proceedings of the 41stACM Symposium on Theory of Computing – STOC 2009, ACM, 2009, pp. 169–178.

[GHS12] Craig Gentry, Shai Halevi, and Nigel Smart, Homomorphic evaluation of the AES circuit,”Advances in Cryptology - CRYPTO 2012”, Lecture Notes in Computer Science, vol. 7417, Springer,2012, Full version at http://eprint.iacr.org/2012/099, pp. 850–867.

[Hen08] Kevin Henry, The theory and applications of homomorphic cryptography.

[HS12] Shai Halevi and Victor Shoup, Design and implementation of a homomorphic-encryptionlibrary.

[Jur03] Mads J Jurik, Extensions to the Paillier cryptosystem with applications to cryptologicalprotocols, Citeseer, 2003.

[LMSV10] J. Loftus, A. May, N.P. Smart, and F. Vercauteren, On CCA-secure fully homomorphicencryption, Cryptology ePrint Archive, Report 2010/560, 2010, http://eprint.iacr.org/.

[NLV11] Michael Naehrig, Kristin Lauter, and Vinod Vaikuntanathan, Can homomorphic encryptionbe practical?, Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop,ACM, 2011, pp. 113–124.

[Pai99] Pascal Paillier, Public-key cryptosystems based on composite degree residuosity classes,Advances in Cryptology - EUROCRYPT’99, Springer, 1999, pp. 223–238.

[RAD78] R. Rivest, L. Adleman, and M. Dertouzos, On data banks and privacy homomorphisms,Foundations of Secure Computation, Academic Press, 1978, pp. 169–177.

http://eprint.iacr.org/

http://eprint.iacr.org/2011/277

http://eprint.iacr.org/2012/099

http://eprint.iacr.org/


[SST05] Katja Schmidt-Samoa and Tsuyoshi Takagi, Paillier’s cryptosystem modulo p 2 q and its ap-plications to trapdoor commitment schemes, Progress in Cryptology–Mycrypt 2005, Springer,2005, pp. 296–313.

[SV11] Nigel P. Smart and Frederik Vercauteren, Fully homomorphic SIMD operations, Manuscriptat http://eprint.iacr.org/2011/133, 2011.

[Wei13] Brandon Weir, Homomorphic encryption.

on the practicality of various classes of homomorphic …njhlai/research/papers/on the... · 2016....

Documents