Fully Homomorphic Encryption Scheme with Symmetric Keys

Transcription

1 Fully Homomorphc Encrypton Scheme wth Symmetrc Keys A Dssertaton submtted n partal fulfllment for the award of the Degree of Master of Technology n Department of Computer Scence & Engneerng (wth specalzaton n Computer Engneerng) Supervsor: Submtted by: C. P. Gupta It Sharma Asso. Prof & Head, CSE Enrollment No.: 11E2UCCSF4XP606 Department of Computer Scence & Engneerng Unversty College of Engneerng, Rajasthan Techncal Unversty, Kota August 2013

2 CANDIDATE S DECLARATION I hereby declare that the work, whch s beng presented n the Dssertaton, enttled Fully Homomorphc Encrypton Scheme wth Symmetrc Keys n partal fulfllment for the award of Degree of Master of Technology n Department of Computer Scence and Engneerng wth Specalzaton n Computer Engneerng and submtted to the Department of Computer Scence and Engneerng, Unversty College of Engneerng, Rajasthan Techncal Unversty s a record of my own nvestgatons carred under the Gudance of C. P. Gupta, Asso Prof & Head, Department of Computer Scence and Engneerng, UCE, Kota. I have not submtted the matter presented n ths Dssertaton anywhere for the award of any other Degree. It Sharma Computer Engneerng Enrollment No.: 11E2UCCSF4XP606 Unversty College of Engneerng, RTU, Kota. Counter Sgned By.. C. P. Gupta, Asso. Prof. and Head, CSE Dept

3 CERTIFICATE Ths s to certfy that ths dssertaton enttled Fully Homomorphc Encrypton wth Symmetrc Keys has been successfully carred out by It Sharma (Enrollment No:11E2UCCSF4XP606), under my supervson and gudance, n partal fulfllment of the requrement for the award of Master of Technology Degree n Computer Engneerng from Unversty College of Engneerng, Rajasthan Techncal Unversty, Kota for the year Place: Kota Date: Supervsor C. P. Gupta Asso. Prof. & Head, CSE Dept

4 Acknowledgment It s my great prvlege to express sncere grattude & thanks to my supervsor C. P. Gupta, Assocate Professor & Head, Department of Computer Scence & Engneerng, UCE, RTU, Kota for hs valuable gudance durng each and every phase of ths work. The keen observaton and motvatng style of crtque and complment kept me stmulated towards perfecton. I thank hm for the nterest and energy that was commtted to the dssertaton and for allowng me a wde academc freedom. I would also thank my famly for ther help, support and patence. Not n the least I would thank Almghty for blessng me. It Sharma Computer Scence Engneerng Enrollment No.: 11E2UCCSF4XP606 Unversty College of Engneerng, RTU, Kota(Raj) v

5 Lst of Symbols and Notatons Z q n ( q ) fnte feld of ntegers of order q M Z square matrx of dmenson n wth elements from Z q concatenaton of bt strngs concatenaton of matrces of equal number of rows, column-wse a a $ A randomly select an tem a from set A $, n 1... n A randomly select n tems from set A 1 A A.B Enc(x,k) Dec(c,k) nverse of matrx A multplcaton of two matrces A and B Encrypton of plantext x under key k Decrypton of cphertext c under key k O ( λ) Landau notaton equvalent to Asymptotc O( λ log λ log log λ ) v

6 Lst of Fgures Fgure 2.1 Multplcatve Homomorphc Property of RSA cryptosystem 6 Fgure 2.2 Addtve Homomorphc Property of Paller cryptosystem 7 Fgure 3.1 Concept of Homomorphc Encrypton 17 Fgure 3.2 Homomorphc Encrypton wth Asymmetrc keys 19 Fgure 4.1(a) Varaton of Number of nvertble matrces wth value of N, all factors prme 29 Fgure 4.1(b) Varaton of Number of nvertble matrces wth value of N, all factors mutually prme 29 Fgure 4.2 Prvacy Preservng Data Processng : System Model and Protocol 39 v

7 Lst of Tables Table 4.1 Comparson of proposed scheme wth other FHE schemes 42 Table 4.2 Brute-force securty of proposed scheme 43 Table 4.3 Executon Tme of Key Generaton, Encrypton and Decrypton for varous lengths of N 47 Table 4.4 Evaluaton tme of Addton and Multplcaton for dfferent lengths of N 48 v

8 Lst of Publcatons 1. It Sharma and Mayank Sharma, Delegatng Computatons: Potentals of Homomorphc Encrypton, 17th Annual Conference of GAMS and Natonal Symposum on Computatonal Mathematcs and Informaton Technology, JUET, Guna, Dec It Sharma and Heena Jan, Cloud Integrty: Scope of Homomorphc Encrypton, Natonal Conference on Advancements n Informaton, Computer and Communcaton AICC-2013, Kautlya Insttute of Technology and Engneerng, Japur, March C.P. Gupta and It Sharma, A Fully Homomorphc Encrypton scheme wth Symmetrc Keys wth Applcaton to Prvate Data Processng n Clouds, Fourth Internatonal Conference on Network of the Future (NoF'13), Pohang, Korea. [Accepted] v

9 CONTENTS Lst of Fgures Lst of Tables Lst of Publcatons Table of Contents v v v x Abstract 1 1 Introducton Conventonal Cryptography New Challenges Posed by Cloud Computng Homomorphc Cryptography Open Problems Problem Statement Our Contrbuton Organzaton of Dssertaton 5 2 Lterature Survey 2.1 Prvacy Homomorphsms RSA-A Multplcatve Homomorphc Scheme Paler- An Addtve Homomorphc Scheme Gentry An Algebracally Homomorphc Scheme Improvements to Gentry s Blueprnt Lattce-based 8 x

10 2.6 Fully Homomorphc Encrypton based on Approxmate GCD Fully Homomorphc Encrypton based on Rng-Learnng wth Errors Fully Homomorphc Encrypton based on Large Integer Factorzaton Homomorphc Encrypton n Cloud Computng Survey Extracton 15 3 Homomorphc Encrypton Homomorphc Encrypton : Termnology Propertes of Homomorphc Encrypton Applcatons of Homomorphc Encrypton 22 4 Fully Homomorphc Encrypton Scheme wth Symmetrc keys Prelmnares Desgn Concept The Cryptosystem Applcaton-specfc Prmtves A Multparty Protocol for Prvacy-preservng Data Processng Performance Securty Propertes Implementaton Results Varants 48 5 Concluson and Future Work 50 x

11 References 51 x

12 Abstract Homomorphc encrypton has largely been studed n context of publc key cryptosystems. But there are applcatons whch nherently would requre symmetrc keys. We propose a symmetrc key encrypton scheme wth fully homomorphc evaluaton capabltes. The operatons are matrx based, that s the scheme conssts of mappng the operatons on ntegers to operatons on matrx. We am at proposng an dea how a fully homomorphc scheme wth symmetrc keys can be nculcated nto applcaton lke prvate data processng. We propose deas for prmtves requred n a FHE scheme to make t practcal and more useful. Certan applcatons whch can beneft from homomorphc encrypton nvolve more than one party, such as multparty computaton. Majorty of the proposed schemes have not explored ths area. Our proposal ams at answerng ths. The proposed scheme s computatonally lght, effcent, mult-hop, crcut-prvate and can be deployed n multple user envronment. It derves ts securty from hardness of factorzng a large nteger, whch s bass of many publc key cryptosystems. Besdes the prmtves for encrypton, decrypton and evaluaton, we have ncluded prmtves whch are useful to adapt the scheme to specfc applcatons of delegatng computaton and data access control n multuser envronments lke that of cloud computng. We also nclude a protocol whch uses the proposed scheme for prvate data processng n clouds. It can easly be extended for keyword search n ndces of encrypted databases, PIR and electronc votng. We also propose possble varants whch gve an dea of how can a fully homomorphc encrypton scheme be desgned usng symmetrc keys. We have also ncluded a checklst of propertes of a homomorphc scheme when employng t to certan applcaton and talled our proposal aganst t. We have presented securty analyss of our scheme along wth formal proofs. The performance of the scheme has been compared wth current effcent schemes. 1

13 Chapter 1 INTRODUCTION The amount of data generated, stored and communcated electroncally s growng exponentally year by year, and the related growth s the vulnerablty of data hence the demand of makng t secure. Cryptography has emerged as most effectve data protecton soluton. At present, cryptographc prmtves have provded both the data owners and users effcent means to ensure securty of ther data and algorthms n terms of confdentalty, ntegrty, authentcaton, valdaton, and verfcaton. 1.1 Conventonal Cryptography: All cryptographc technques n use today can be broadly classfed as Symmetrc and Asymmetrc encrypton. Symmetrc or the secret key based cryptography mples usng same key for both encrypton and decrypton. It s a cryptosystem defned by two algorthms. Durng communcaton, the sender uses the encrypton algorthm Enc(m,k) where m s message to be encrypted and k s the secret key, to obtan a cphertext c correspondng to plantext m. Ths encrypted message s sent to the recever. The recever retreves the message usng decrypton algorthm Dec(c,k). Asymmetrc or publc key based systems refer to use of dfferent keys for encrypton and decrypton. The key known only to a sender (or recever) s called the prvate key, and the key whch s publshed and thus known to more than one party s called the publc key. Encrypton algorthm, Enc(m,pk) encrypts message m under publc key pk, and the message s retreved usng decrypton algorthm Dec(m,sk), where sk s the prvate key. In certan applcatons lke dgtal sgnatures, encrypton s performed usng prvate key, hence decrypton s done usng the publc key. 1.2 New Challenges Posed by Cloud Computng The emergence of cloud computng where crtcal customer and enterprse data could be held by thrd party cloud provders n a publc and/or shared (mult-tenant) computng and storage envronments hghlghts the need to use encrypton as a prmary securty control. Securty threats and applcaton of encrypton mechansms are dscussed n context of data at rest, 2

14 data n transt, and data n use. Whle the securty of data n transt benefts from mature encrypton tools such as SSL, protectng data at rest whle ensurng ts avalablty presents addtonal and ongong challenges. Encrypton of a database should not adversely affect the ablty of applcatons to use ths data. Hence, n a cloud computng scenaro, encrypton solutons must be archtectured to acheve the goals of both data protecton (confdentalty and ntegrty) as well as avalablty of the data, the servce, and the capablty to collaborate and share data easly. Nether symmetrc nor asymmetrc encrypton methods completely suffce the needs of cloud computng envronment. Here homomorphc cryptography comes nto pcture. 1.3 Homomorphc Cryptography The am of homomorphc cryptography s to ensure prvacy of data n communcaton, storage or n use by processes wth mechansms smlar to conventonal cryptography, but wth added capabltes of computng over encrypted data, searchng an encrypted data, etc. Homomorphsm s a property by whch a problem n one algebrac system can be converted to a problem n another algebrac system, be solved and the soluton later can also be translated back effectvely. Thus, homomorphsm makes secure delegaton of computaton to a thrd party possble. Many conventonal encrypton schemes possess ether multplcatve or addtve homomorphc property and are currently n use for respectve applcatons. Yet, a fully homomorphc encrypton scheme whch could perform any arbtrary computaton over encrypted data appeared n 2009 as Gentry s work [1]. 1.4 Open problems Though Gentry s blueprnt[1] provdes a soluton, what remans s developng the basc scheme to have more feasble ones. The major drawback of the schemes based on Gentry s blueprnt has been large publc key sze, many keys, growth of cphertext per computaton n a crcut and accumulaton of nose. Whle a major applcaton of FHE s delegaton of computaton due to lack of resources at the user-end, majorty of schemes are computatonally ntensve makng t practcally of no use for such users. Another open problem s of reducng key szes to a manageable level snce the procedure requres at least three keys (encrypton, re-encrypton or evaluaton, decrypton). The approach should be now to focus on devsng applcaton-specfc homomorphsms, lke a lght weght scheme, a fast scheme, a semantcally secure scheme, a multparty scheme and so on. The schemes whch are currently n use for applcatons lke e-votng, PIR etc are not fully homomorphc. They 3

15 are ether SHE (Somewhat Homomorphc encrypton) or are homomorphc over a lmted number of crcuts/operatons, hence lmted to a few number of applcatons, cannot be extended or generalzed for complete category of applcatons. Mostly all schemes proposed so far are based on publc-key cryptography. It has obvous advantage of beng based on hardness problems lke Large Integer Factorzaton, Dffe-Hellman problems or Approxmate GCD problem. But there are applcatons whch nherently would requre symmetrc keys, or perhaps no use of a publc key at all (vz a user storng hs prvate data on cloud only for personal purposes would need only a secret key). Further there are applcatons orented towards nvolvement of more than one party, such as multparty computaton. Majorty of the proposed schemes have not explored ths area. Gven the large amount of data and huge costs of encryptng and decryptng them (also the large number of keys to be dstrbuted due to multple stakeholders) gave way to hybrd clouds and data classfcaton. Hybrd clouds allow combnng prvate enterprse clouds wth on-premse data (perceved securty s hgh) to collaborate wth publc clouds nvolvng thrd party storage provders (not so secure). Data classfcaton nvolves dfferent levels of securty dependng on crtcalty of data. Moreover, many data centrc applcatons nvolve multple users and can beneft only f the encrypton process can nvolve the herarchy of data classfcaton. A possble soluton to be explored s ncremental encrypton wth homomorphc propertes. 1.5 Problem Statement Desgn an effcent and practcally feasble fully homomorphc scheme that uses symmetrc keys and subsequently desgn a protocol for ts use n multuser data-centrc applcatons. 1.6 Our Contrbuton Vakuntanathan presented a state-of-art survey [2] of FHE and how t can be appled for delegaton of computaton. He rased an open queston Can Homomorphc encrypton be effcent enough to be practcal?. Our proposal addresses ths open problem. The proposed scheme s based on matrx operatons whch are computatonally lght and fully homomorphc. It uses symmetrc keys of small sze thereby makng t sutable for many data centrc applcatons. It derves ts securty from hardness of factorzng a large nteger, whch 4

16 s bass of many publc key cryptosystems. We extend the approach used n [3]. Besdes the prmtves for encrypton, decrypton and evaluaton, we have ncluded prmtves whch are useful to adapt the scheme to specfc applcatons of delegatng computaton and data access control n multuser envronments lke that of cloud computng. It can easly be extended for keyword search n ndces of encrypted databases, PIR and electronc votng. We have also ncluded a checklst of propertes of a homomorphc scheme when employng t to certan applcaton and compared our proposal aganst t. The proposed scheme s mult-hop, ensures crcut-prvacy, can handle arbtrary sze of computatons wthout the need of nose management and has scope of parallelzaton. We also present a formal securty analyss of the scheme. 1.7 Organzaton of Dssertaton Chapter 2 presents a survey of exstng homomorphc schemes, the analyses and applcatons avalable n lterature. It gves a bref and clear overvew of the underlyng prncples of such schemes and ther lmtatons. Chapter 3, as ts ttle Homomorphc Encrypton suggests, acquants wth the relevant termnology. It contans formal defntons, propertes and representatve applcatons of Homomorphc Encrypton. Chapter 4, ttled Fully Homomorphc Encrypton Scheme wth Symmetrc Keys descrbes our proposal. t has a detaled descrpton of the prmtves, the algorthms along wth examples, performance and securty analyses. Chapter 5 concludes the dssertaton and presents the possble aspects n whch the further work can be done. 5

17 Chapter 2 LITERATURE SURVEY Begnnng from the noton of prvacy homomorphsms n 1978, Homomorphc Encrypton had been more lke a holy gral lurkng n mnds of cryptographers and quest dd not end untl Snce then the feld has been growng rapdly wth so much potental antcpated that cryptographers worldwde are now thnkng to consder t an entre new feld of computer scence. 2.1 Prvacy Homomorphsms The dea of usng homomorphsm along wth encrypton was ntroduced by Rvest, Adleman, and Dertouzous n 1978 [4]. They asked for an encrypton functon that permts encrypted data to be operated on, wthout prelmnary decrypton of the operands, and they called those schemes prvacy homomorphsms. Unfortunately, shortly after ts publcaton, major securty flaws were found n the orgnal proposed schemes of Rvest et al. The search for fully homomorphc cryptosystems began. 2.2 RSA- A Multplcatve Homomorphc Scheme In 1978, Rvest, Shamr, and Adleman publshed ther publc-key cryptosystem [5], whch only uses elementary deas from number theory. It s one of the frst homomorphc cryptosystems. It s the most wdely used publc-key cryptosystem. It may be used to provde both secrecy and dgtal sgnatures and ts securty s based on the ntractablty of the nteger factorzaton problem. The RSA scheme has a multplcatve homomorphc property. Ths means t s possble to perform multplcatons wth the encryptons of messages wthout losng or tamperng wth ther underlyng nformaton. Ths s possble snce the operaton "multplcaton" n the cphertext space (Zn, ) can be compared wth the operaton "multplcaton" n the plantext space (Zn, ). The same s llustrated n Fg 2.1. Fgure 2.1 Multplcatve Homomorphc Property of RSA cryptosystem 6

18 2.3 Paller An Addtve Homomorphc Scheme Pascal Paller ntroduced hs cryptosystem[6] n The proposed technque s based on composte resduosty classes, whose computaton s beleved to be computatonally dffcult. It s a probablstc asymmetrc algorthm for publc key cryptography and nherts addtve homomorphc propertes, specfcally the product of two cphertexts wll decrypt to the sum of ther plantexts. It s llustrated n fgure. Fgure 2.2 Addtve Homomorphc Property of Paler Cryptosystem 2.4 Gentry An Algebracally Homomorphc Scheme In a breakthrough work Gentry descrbed n 2009 the frst encrypton scheme that supports both addton and multplcaton on cphertexts,.e. a fully homomorphc encrypton scheme [1]. Gentry used a method whch no other researcher tred before. Instead of drectly creatng a superor scheme, he buld one from a somewhat homomorphc scheme, f ts decrypton crcut s suffcently smple. The constructon proceeds n successve steps: frst Gentry descrbes a somewhat homomorphc scheme that supports a lmted number of addtons and multplcatons on cphertexts. Ths s because every cphertext has a nose component and any homomorphc operaton appled to cphertexts ncreases the nose n the resultng cphertext. Once ths nose reaches a certan threshold the resultng cphertext does not decrypt correctly anymore; ths lmts the degree of the polynomal that can be appled to cphertexts. Secondly Gentry shows how to squash the decrypton procedure so that t can be expressed as a low degree polynomal n the bts of the cphertext and the secret key (equvalently a crcut of small depth). Then the breakthrough dea conssts n evaluatng ths decrypton polynomal not on the bts of the cphertext and the secret key (as n regular decrypton), but homomorphcally on the encrypton of those bts. Then nstead of recoverng the bt plantext, one gets an encrypton of ths bt plantext,.e. yet another cphertext for the same plantext. Now f the degree of the decrypton polynomal s small enough, the resultng 7

19 nose n ths new cphertext can be smaller than n the orgnal cphertext; ths s called the cphertext refresh procedure. Gven two refreshed cphertexts one can apply agan the homomorphc operaton (ether addton or multplcaton), whch was not necessarly possble on the orgnal cphertexts because of the nose threshold. Usng ths cphertext refresh procedure the number of permssble homomorphc operatons becomes unlmted and we get a fully homomorphc encrypton scheme. The prerequste for the cphertext refresh procedure s that the degree of the polynomal that can be evaluated on cphertexts exceeds the degree of the decrypton polynomal (tmes two, snce one must allow for a subsequent addton or multplcaton of refreshed cphertexts); ths s called the bootstrappablty condton. Once the scheme becomes bootstrappable t can be converted nto a fully homomorphc encrypton scheme by provdng the encrypton of the secret key bts nsde the publc key. 2.5 Improvements to Gentry s Blueprnt Lattce based Implementaton of Gentry s blueprnt, 2010 At PKC 2010 Smart and Vercauteren [7] made the frst attempt to mplement Gentry's scheme usng a varant based on prncpal deal lattces and requrng that the determnant of the lattce be a prme number. However the authors of [7] could not obtan a bootstrappable scheme because that would have requred a lattce dmenson of at least n = 227, whereas due to the prme determnant requrement they could not generate keys for dmensons n > 2048, whch s essental for securty purposes. Ths mpled that Gentry s blueprnt was not yet practcal Gentry-Halev Scheme 2010 The authors n [8] follow the same drecton as Smart and Vercauteren[7], but for key generaton they elmnate the requrement that the determnant s a prme. Addtonally they present many clever optmzatons. Four concrete parameter settngs are provded, from a toy settng n dmenson 512, to small, medum and large settngs of dmensons 2048, 8192 and 32768, respectvely. For the large" settng publc key sze s 2.3 Ggabytes. The authors of [8] report that for an optmzed mplementaton on a hgh-end workstaton, 8

20 key generaton takes 2.2 hours, encrypton takes 3 mnutes, and cphertext refresh takes 30 mnutes Optmzed Gentry, 2010 Concurrently, Stehle and Stenfeld descrbed two mprovements [9] to Gentry's fully homomorphc scheme based on deal lattces and ts analyss. They ntroduced a probablstc decrypton algorthm that can be mplemented wth an algebrac crcut of low multplcatve degree. Combned together, these mprovements lead to a faster fully homomorphc scheme, 3.5 wth a Õ( λ ) bt complexty per elementary bnary add/mult gate SIMD Gentry, 2011 Gentry s scheme [1] performs encrypton and decrypton on plantext of 1-bt length. Hence, t s ntutve to thnk that certan operatons could be performed on several bts n parallel to reduce runtme. In [7], Smart and Vercauteren mentoned that SIMD(sngle nstructon, multple data) style operatons on data can be supported by ther scheme. In [10], Smart and Vercauteren show how to select parameters for Gentry and Halev s mplementaton [8] that use SIMD operatons for the somewhat homomorphc scheme, how to construct a fully homomorphc scheme when performng re-encryptons n parallel and n whch way SIMD operatons can be useful n practce. The man pont s that the parallel verson s 2.4 tmes faster than the standard FHE scheme and the cphertext sze s reduced by a factor 1/72. Thus, explotng parallelsm n the consttuent algorthms can ncrease effcency of a scheme Gentry-Halev wthout squashng, 2011 Gentry and Halev n [11] show how to get rd of squashng as well, usng a completely dfferent technque, whle the constructon stll reles on deal lattces. The new approach constructs FHE as a hybrd of a SWHE and a multplcatvely homomorphc encrypton (MHE) scheme. The new approach shows how to bootstrap wthout havng to squash the decrypton crcut. The man technque s to express the decrypton functon of SWHE schemes as a depth-3 (ΣΠΣ) arthmetc crcut of a partcular form. When evaluatng ths crcut homomorphcally (as needed for bootstrappng), t uses a MHE scheme, such as Elgamal, to handle the Π part. Due to the specal form of the crcut, the swtch to the MHE 9

21 scheme can be done wthout havng to evaluate anythng homomorphcally. The result s translated back to the SWHE scheme by homomorphcally evaluatng the decrypton functon of the MHE scheme. Thus, the SWHE scheme only needs to be capable of evaluatng the MHE scheme's decrypton functon, not ts own decrypton functon, thereby avodng the crcularty that necesstated squashng n the orgnal blueprnt Gentry-Halev-Smart, 2011 The man bottleneck n the bootstrappng procedure of Gentry s blueprnt s the need to evaluate homomorphcally the reducton of one nteger modulo another. Ths s typcally done by emulatng a bnary modular reducton crcut, usng bt operatons on bnary representaton of ntegers. Gentry, Halev and Smart present a smpler approach[12] that bypasses the homomorphc modular-reducton bottleneck to some extent, by workng wth a modulus very close to a power of two. The method s easer to descrbe and mplement than the generc bnary crcut approach, and s lkely to be faster n practce. In some cases t also allows storng the encrypton of the secret key as a sngle cphertext, thus reducng the sze of the publc key. Ths method can also be combned wth the SIMD homomorphc computaton technques. 2.6 Fully Homomorphc Encrypton based on Approxmate GCD DGHV, 2010 Based on Gentry's approach a dfferent fully homomorphc scheme by van Djk, Gentry, Halev and Vakuntanathan (DGHV) over the ntegers appeared at Eurocrypt 2010 [13]. As n Gentry's scheme the authors frst descrbe a somewhat homomorphc scheme supportng a lmted number of addtons and multplcatons over encrypted bts. Then they apply Gentry's squash decrypton technque to get a bootstrappable scheme and then Gentry's cphertext refresh procedure to get a fully homomorphc scheme. The man appeal of the scheme (compared to the orgnal Gentry's scheme) s ts conceptual smplcty: all operatons are 10 done over the ntegers nstead of deal lattces. However the publc-key was n Õ( λ ) whch s too large for any practcal system. The major achevement of [13] over [1] was that now 10

22 the plantext conssted of ntegers rather than sngle bts leadng to a better blueprnt to mprove upon Improved DGHV, 2011 Coron et al [14] showed how to reduce the publc key sze of the somewhat homomorphc 10 7 scheme from Õ( λ ) down to Õ( λ ). The dea conssts n storng only a smaller subset of the publc key and then generatng the full publc key on the y by combnng the elements n the small subset multplcatvely. The new scheme s stll semantcally secure, but under a stronger varant of the approxmate GCD assumpton. The second contrbuton of [14] s to descrbe an mplementaton of the fully homomorphc DGHV scheme under new varant, usng some of the optmzatons from [8]. They use the refned analyss from [9] of the sparse subset sum problem; but not the probablstc decrypton crcut from [9] because as n [8] the error probablty s too hgh for chosen set of parameters. The man dffculty s to determne a secure set of concrete parameters. The approach n [14] s to mplement the known attacks, measure ther runnng tme and extrapolate for large parameters, so that concrete parameters accordng to the desred level of securty can be fxed. [14] have obtaned smlar performances as the Gentry-Halev mplementaton [8]. More precsely the four securty levels nspred by the levels from [8] (though they may not be drectly comparable due to dfferent notons of securty bts ): toy, small, medum and large, correspondng to 42, 52, 62 and 72 bts of securty respectvely. For large" parameters, encrypton and recrypton take 3 mnutes and 14 mnutes respectvely, wth a publc key sze of 800 MBytes. Decrypton s always close to nstantaneous. Ths shows that fully homomorphc encrypton can be mplemented wth a smple scheme Attack on DGHV, 2012 Chunsheng proposed a heurstc attack [15] on the fully homomorphc encrypton over the ntegers by usng lattce reducton algorthm. Ther result shows that one can drectly obtan the plantext from a cphertext and the publc key wthout usng the secret key for some parameter settngs of the FHE n [13]. They constructed a new lattce based on the publc key and recover the plantext bt from cphertext by applyng LLL reducton algorthm. They further showed that such an attack can be avoded by settng parameter γ=λ 6. But, the scheme s less practcal n ths case. In addton, they suggested an mprovement scheme to avod the 11

23 above lattce attack. The secret key whch s a large nteger n [13] s now replaced by a matrx. To mplement FHE, one only needs to add cphertexts of the secret key to the publc key. The sze of the publc key s O(λ 3 log λ) and the sze of the secret key s O(λ 2 ) Batch FHE, 2012 Coron, Lepont and Tbouch [16] extended the DGHV scheme to batch fully homomorphc encrypton,.e. to a scheme that supports encryptng and homomorphcally processng a vector of plantext bts as a sngle cphertext. It mantans semantc securty and allows one to perform arbtrary permutatons on the underlyng plantext vector gven the cphertext and the publc key. Though there s no notable achevement n terms of effcency, t presents a new approach for obtanng features of LWE-based FHE scheme n a scheme based on Approxmate-GCD CRT-based FHE, 2012 Km, Lee, Yun and Cheon [17] combned the deas of [4] and [13]. As compared to [13] ths scheme has larger plantext, reduced computaton overhead and support for SIMD style operatons. Though the achevement s not on effcency, [17] suggests new methods to construct a fully homomorphc encrypton scheme. 2.7 Fully Homomorphc Encrypton based on Rng-Learnng wth Errors FHE-LWE, 2011 Schemes based on Gentry s blueprnt suffer from large sze of keys and hgh per-gate evaluaton tme whch s a bottleneck n practcal deployment of FHE. Ths led to a new seres of research works. In partcular, Brakersk and Vakuntanathan [18] show that (leveled) FHE can be based on the hardness of the much more standard learnng wth errors (LWE) problem, usng a new re-lnearzaton technque. In contrast, all prevous schemes reled on complexty assumptons related to deals n varous rngs. Instead of usng squashng, ths proposal ntroduced a new dmenson-modulus reducton technque, whch shortens the cphertexts and reduces the decrypton complexty, wthout ntroducng addtonal 12

24 assumptons. Ths scheme has very short cphertexts and can be used t to construct an asymptotcally effcent LWE-based sngle-server prvate nformaton retreval (PIR) protocol, also proposed n [18] BGV, 2011 Brakersk, Gentry and Vakuntanathan [19] buld on (a refnement of) the man technque n [18] to construct an FHE scheme wth asymptotcally lnear effcency, that s the per gate computaton s almost lnear n securty parameter. Whle [18] uses modulus swtchng n one shot to obtan a small cphertext, ths scheme uses modulus swtchng teratvely, to keep the nose level essentally constant, whle sacrfcng modulus sze and gradually sacrfcng the remanng homomorphc capacty of the scheme Optmzed BGV, 2011 Lauter, Naehrg and Vakuntanathan publshed results [20] of mplementaton of the scheme BV [18]. They also proposed a number of applcaton-specfc optmzatons to the scheme. Most notably they show how to convert between dfferent message encodngs n a cphertext. They propose two methods. The frst s to encode ntegers n a cphertext so as to enable effcent computaton of ther sums and products over the ntegers. Ths s useful n computng the mean, the standard devaton and other prvate statstcs effcently. The second trck shows how to pack n encryptons of bts nto a sngle encrypton of the n-bt strng. Some homomorphc operatons, for example comparson of ntegers or prvate nformaton retreval, requre bt-wse encryptons of the nput. Once the answers are computed, though, they can be packed nto a sngle encrypton usng ths trck HELb, 2013 Recently, IBM has released software package HELb n Aprl HElb s a software lbrary that mplements homomorphc encrypton (HE). Currently avalable s an mplementaton of the BGV [19] scheme, along wth many optmzatons to make homomorphc evaluaton run faster, focusng mostly on effectve use of the Smart- Vercauteren [7] cphertext packng technques and the Gentry-Halev-Smart [12] optmzatons. 13

25 2.8 Fully Homomorphc Encrypton based on Large Integer Factorzaton Xao et al, 2012 In 2012 Xao et al developed a novel symmetrc-key homomorphc encrypton scheme [3]. It s proven that the securty of ths encrypton scheme s equvalent to the large nteger factorzaton problem, and t can wthstand an attack wth up to m ln poly( λ ) chosen plantexts for any predetermned m, constant that s polynomal n the securty parameter λ. Multplcaton, encrypton, and decrypton are almost lnear n mλ, and addton s lnear n mλ. The scheme downgrades the securty requrement to acheve effcency. Although the algorthm s not semantcally secure, t can face an adversary wth up to m ln poly( λ) chosen plantext and cphertext pars, and the securty s equvalent to the large nteger factorzaton problem. Thus, homomorphc encrypton scheme [3] can be used n applcatons where semantc securty s not requred and one-wayness securty s suffcent. A further consderaton n [3] s practcal multple-user data-centrc applcatons. To allow multple users to retreve data from a server all users need to have the same key. In [3] the master encrypton key s transformed nto dfferent user keys to develop a protocol to support correct and secure communcaton between the users and the server usng dfferent user keys. The data n the data center are encrypted usng homomorphc encrypton wth a master key k. Dfferent keys are assgned to dfferent users whch are actually transformatons of master key k. Such mult-user system can wthstand an adversary wth upto m ln poly( λ) plantextcphertext pars MORE&PORE, 2012 Kpns and Hbshoosh [21] present hgh performance non-determnstc fully-homomorphc methods for practcal randomzaton of data (over commutatve rng), and symmetrc-key encrypton of random mod-n data over rng Z N well suted for crypto applcatons. These methods secure, for example, the multvarate nput or the coeffcents of a polynomal functon runnng n an open untrusted envronment. The scheme has matrx based operaton very smlar to [3] and polynomal based operatons whch s a novel dea. The effcent nature of the methods - one large-number multplcaton per encrypton and sx for the product of two encrypted values - motvates and enables the use of low cost collaboratve securty platforms for crypto applcatons such as keyed-hash or prvate key dervaton 14

26 algorthms. It s shown how to secure OSS publc-key sgnature aganst Pollard attack. Further, [21] demonstrates how the homomorphc randomzaton of data can offer protecton for an AES-key aganst sde-channel attacks. Fnally, the methods provde both fault detecton and verfcaton of computed-data ntegrty. 2.9 Homomorphc Encrypton n Cloud Computng Fully Homomorphc Encrypton combnes securty wth usablty. It can help preserve customer prvacy whle outsourcng varous knds of computaton to the cloud, besdes storage. Some concrete and valuable applcatons of FHE have been mentoned n [20]. They have consdered stuatons where data streams from multple sources, s uploaded n encrypted form to the cloud, and processed by the cloud to provde valuable servces to the content owner. There are two aspects of the computaton consdered: the data tself (confdentalty), and the functon to be computed on ths data (crcut prvacy). Dependng on whether one or both of these are confdental and hence not to be dsclosed to the cloud, [20] proposes three broad knds of applcatons: 1. Medcal applcatons: prvate data, publc functons 2. Fnancal Applcatons: prvate data, prvate functons 3. Advertsng and Prcng: Only results are publc Applcaton of FHE to database queryng s studed systematcally n [22]. It dentfes what fully homomorphc encrypton can do and what t cannot do well for supportng general database queres at a conceptual level. The study shows that usng a fully homomorphc encrypton scheme that supports addton, multplcaton, AND and XOR on cphertexts, t s possble to process a complex selecton, range, jon or aggregaton query on encrypted data on the server sde, and to return the encrypted matchng answers n a result buffer. For queres wthout fxed answer szes, t s however not guaranteed all matchng answers wll be correctly constructed from the result buffer, nstead the answers can be constructed from the result buffer wth overwhelmng probablty Survey Extracton Encrypton schemes wth homomorphc propertes would suffce the need of securty meanwhle preservng system usablty n clouds. Whle a major applcaton of FHE s 15

27 delegaton of computaton due to lack of resources at the user-end, majorty of schemes are computatonally ntensve makng t practcally of no use for such users. The major problem s of reducng key szes to a manageable level snce the procedure requres at least three keys (encrypton, re-encrypton or evaluaton, decrypton). A related ssue s the nose management as the nose assocated wth the homomorphc evaluaton ncreases wth every operaton on the cphertext. Moreover, ths nose puts a bound on the sze of crcuts that can be correctly evaluated homomorphcally. Mostly the ssue has been resolved by some refreshng technques whch n turn ncrease the overall tme complexty of a computaton. Much of the research has been devoted towards developng FHE schemes usng publc-key cryptographc prmtves; area of symmetrc FHE should also be explored as there are many applcatons whch nherently are sutable for symmetrc encrypton. Then, there are certan applcatons whch nvolve multple users, hence requrng multparty protocols nvolvng FHE. Majorty of the exstng FHE schemes have not explored ths area. Furthermore, there s a need of a well-agreed upon lst of propertes that any homomorphc encrypton scheme would possess n order to be deployable practcally. The propertes lke crcut prvacy, targeted malleablty have been dscussed a lot n lterature, yet all of them have not been consoldated. Also, securty notons for conventonal encrypton have been as s appled to homomorphc encrypton, renderng any homomorphc scheme non-indcpa2 secure, whch could mslead users to thnk that a homomorphc encrypton s not much secure for them, whle FHE ams at ensurng securty where no other means s able to (lke to the data beng used n publc cloud). 16

28 Chapter 3 HOMOMORPHIC ENCRYPTION The am of homomorphc cryptography s to ensure prvacy of data n communcaton and storage processes, such as the ablty to delegate computatons to untrusted partes. If a user could take a problem defned n one algebrac system and encode t nto a problem n a dfferent algebrac system n a way that decodng back to the orgnal algebrac system s hard, then the user could encode expensve computatons and send them to the untrusted party. Ths untrusted party then performs the correspondng computaton n the second algebrac system, returnng the result to the user. Upon recevng the result, the user can decode t nto a soluton n the orgnal algebrac system, whle the untrusted party learns nothng of whch computaton was actually performed. Fg 3.1 llustrates ths. Suppose we have a homomorphc cryptosystem whch can translate operatons on ntegers to operatons on polynomals of sngle varable. As shown n Fg 3.1, two ntegers are encrypted nto polynomals p 1 (x) and p 2 (x). Now when these polynomals are added to gve a thrd polynomal, t s requred that the resultant polynomal when translated back should be equal to sum of plantext ntegers. Fgure 3.1 Concept of Homomorphc encrypton Ths chapter dscusses varous basc defntons and other termnology related to homomorphc cryptosystems. Thereafter we present a consoldated lst of propertes of Homomorphc cryptosystems, and some representatve applcatons. 3.1 Homomorphc Encrypton: Termnology 17

29 At a hgh-level, the essence of fully homomorphc encrypton s smple: gven cphertexts that encrypt the plantexts x 1,x 2 x n, fully homomorphc encrypton should allow anyone (not just the key-holder) to output a cphertext that encrypts f(x 1, x 2 x n ) for any desred functon f, as long as that functon can be effcently computed. No nformaton about x 1, x 2 x n or f(x 1, x 2 x n ) or any ntermedate plantext values, should leak; the nputs, output and ntermedate values are always encrypted. There are dfferent ways of defnng what t means for the fnal cphertext to encrypt f(x 1, x 2 x n ). The mnmal requrement s correctness. Varous aspects of such computaton along wth encrypton lead to dfferent forms of Homomorphc encrypton. Below we present formal defntons related to cryptosystems whch possess homomorphc computaton capablty. Homomorphc Encrypton Formally, homomorphc encrypton scheme has been defned tll now n context of publc key systems only. We extend the exstng defnton so as to ncorporate both symmetrc as well as publc key systems. A homomorphc encrypton scheme s a quadruple of probablstcpolynomal tme algorthms ε =(Keygen, Enc, Dec, Eval) Keygen In publc-key based systems the key generaton algorthm takes nput the securty parameter λ and outputs keys (pk, sk, ek), where pk s publc key sk s prvate key, and ek s evaluaton key. In symmetrc key systems algorthm takes nput the securty parameters λ and m and outputs keys (k, ek) where k s secret key and ek s evaluaton key. Enc The encrypton algorthm converts plantext to cphertext as c Enc( π, key1 ). π s a plantext bt or nteger, and key 1 s pk for publc crytptosystem and k for symmetrc scheme. Dec The decrypton algorthm converts cphertext to plantext as π Dec( c, key2 ). key 2 s sk for publc crytptosystem and k for symmetrc scheme. Eval The homomorphc evaluaton algorthm evaluates the result of a computaton f on cphertexts c 1,c 2,, c l usng evaluaton key ek. c f Eval( f, c1, c2,..., cl, ek). Use of ths key s optonal, as n some schemes, lke that of our proposal, there s no need of an evaluaton key. 18

30 Here f f s represented as an arthmetc crcut or a Boolean crcut equvalently, the scheme s sad to be crcut-based. When f s defned as mathematcal functon, the scheme s noncrcut based. Fgure 3.2 Homomorphc Encrypton wth Asymmetrc keys C-homomorphsm Let C be a class of functons. A scheme ε s C-homomorphc f for every functon n C, the Eval algorthm of ε outputs such that c Eval f c c c ek f (, 1, 2,..., l, ) and f π1 π 2 π l = Dec c f key2 (,,..., ) (, ) Compactness Compactness requres that the sze of the cphertext after homomorphc evaluaton does not depend on ether the number of nputs or the complexty of the functon f, but only on the sze of the output of f. Somewhat homomorphc Somewhat homomorphc scheme supports a lmted number of addtons and multplcatons on cphertexts. Ths s because every cphertext has a nose component and any homomorphc operaton appled to cphertexts ncreases the nose n the resultng cphertext. Once ths nose 19

31 reaches a certan threshold the resultng cphertext does not decrypt correctly anymore; ths lmts the degree of the polynomal that can be appled to cphertexts. Fully homomorphc encrypton A schemeε s fully homomorphc f t s both compact and homomorphc for the class of all arthmetc crcuts over GF(2). Leveled fully homomorphc Ths s a relaxaton n fully homomorphc scheme. A leveled fully homomorphc encrypton scheme s a homomorphc scheme where Keygen algorthm gets an addtonal nput l and the resultng scheme s homomorphc for all depth-l bnary arthmetc crcuts. Mult-hop Homomorphc In some applcatons, t s useful to requre that the output of algorthm Eval can be used as an nput for another homomorphc evaluaton. A homomorphc encrypton scheme wth ths property s called a mult-hop homomorphc encrypton scheme. 3.2 Propertes of Homomorphc Encrypton Feld of homomorphc cryptography s yet n developng stage and varous schemes dffer n what they have to offer. Selectng a scheme for an applcaton requres a consumer to check ts sutablty to the applcaton. Varous applcatons requre homomorphc operatons n dfferent perspectve. Ths varety poses some challenges n desgnng of fully homomorphc schemes. Also, certan ssues should be addressed well before one embarks upon devsng a new scheme. Ths secton presents some of the major concerns related to as to what s expected of a fully homomorphc encrypton scheme so that t s practcal and feasble enough to be employed n certan applcaton. We have dentfed some common propertes whch already exst or are desrable n a homomorphc encrypton scheme. They are: 1. Crcut/Functon prvacy - Crcut prvacy s a property of homomorphc encrypton that guarantees that the server s nput namely, the computaton functon f remans prvate from the clent. In partcular, crcut prvacy requres that the output of Eval( f, c, c,...,, ) 1 2 c ek does not reveal any nformaton about f to the clent, beyond the l output f ( π1, π 2,..., π l ). Ths has a securty mplcaton when computatons have been delegated to an untrusted party. Hence, applcatons nvolvng multparty 20

32 computaton, secure delegaton of computaton, applcatons nvolvng publc data wth prvate functons and the lkes. 2. Targeted Malleablty In context of conventonal cryptography, malleablty s an undesrable property. An encrypton algorthm s malleable f t s possble for an adversary to transform a cphertext nto another cphertext whch decrypts to a related plantext. That s, gven an encrypton of a plantext m, t s possble to generate another cphertext whch decrypts to f(m), for a known functon f, wthout necessarly knowng or learnng m. It actually allows an attacker to modfy the contents of a message. But, sn t ths the am of FHE to be able to compute a functon of m wthout knowng m? Hence, here we regress to a related property called targeted malleablty. Ths noton of targeted malleablty was put forward by Boneh et al [23]: gven an encrypton scheme that supports homomorphc operatons wth respect to some set of functons F, we would lke to ensure that the malleablty of the scheme s targeted only at the set F. That s, t should not be possble to apply any homomorphc operaton other than the ones n F. [23] also suggests how ths can be acheved by requrng the entty performng the homomorphc operaton to embed a proof n the cphertext showng that the cphertext was computed usng an allowable functon. The decryptor can then verfy the proof before decryptng the cphertext. The problem that mght arse due to repeatedly performng a homomorphc operaton s that number of proofs grows makng the cphertext grow at least lnearly wth the number of repeated homomorphc operatons. Thus, lmtng ths expanson s also hghly desrable. 3. Verfablty of Computaton - Homomorphc encrypton s beng consdered as an answer to the problem of securely outsourcng computatons, yet t s useful only when the returned result can be trusted. Here verfablty of the result comes nto pcture. One such scenaro s of delegatng computaton to a cloud. One of the man securty ssues that arses n ths settng s how can the clents trust that the cloud performed the computaton correctly? After all, the cloud has the fnancal benefts to run a fast computaton whch could be ncorrect, freeng up valuable compute tme for other transactons. Is there a way to verfably outsource computatons, where the clent can, wthout much computatonal effort, check the correctness of the results provded by the cloud? Furthermore, can ths be done wthout requrng much nteracton between the clent and the cloud? 4. Multple Users - Almost every proposed fully homomorphc scheme consders sngle user settng, wth the excepton of [3] whch dscusses how multple users can 21

33 partcpate n a homomorphc operaton. Most of the applcatons of homomorphc operatons nvolve multple data comng from dfferent users (lke multparty computatons). Hence, the focus should be on devsng homomorphc operatons whch can be used n multuser systems. 5. Parallel Computatons If the evaluaton functon of a homomorphc scheme s able to use the nherent parallelsm of certan computatons lke matrx multplcaton, we can beneft n terms of effcency. If a number of bts can be packed nto sngle argument (lke an nteger) and the homomorphc evaluaton functon performs as f the functon was performed per bt, we can beneft n terms of communcaton cost, length of cphertext and effcency. Ths promses to be a feld of nterestng research. The approach of Sngle Instructon Multple Data can be appled when many messages are to be encrypted usng same key, or decrypted. 6. Unlnkablty - A term related to crcut prvacy s unlnkablty, whch asks that the output of the homomorphc evaluaton algorthm s computatonally ndstngushable from the output of the encrypton algorthm. 7. Mult-hop If a sequence of operatons can be performed on a cphertext n successon wthout the need of any ntermedate step whch s not a part of overall computaton beng performed, then the FHE scheme s sad to be mult-hop. It s possble f output of the Eval algorthm s of the same form as ts nput. 3.3 Applcatons of Homomorphc Encrypton Potental of homomorphc encrypton had been dentfed very early. Snce then there have been many applcatons whch necesstated a scheme that could compute homomorphcally on encrypted data. But wth the growng nterest and nclnaton towards cloud computng has opened numerous possble applcaton areas for HE. Accordng to authors n [20] these applcatons can be majorly classfed based on whether we expect confdentalty of data or crcut prvacy or both. The categores are: Prvate Data, Publc functons: lke n Medcal Applcatons Prvate data, Prvate functons: lke n Fnancal Applcatons Applcatons lke Advertsng and prcng where only results should be publc All the above categores of applcatons assume sngle data (content) owner who encrypts the data and stores t on an untrusted cloud. But wth dfferent cloud models and usage scenaros 22

34 upcomng we should look at a few representatve categores of applcatons of Homomorphc Encrypton Electronc Votng Electronc votng s a specal case of delegaton of computaton where one would lke the electon authortes to be able to count the votes and present the fnal results, but dslkes the dea that ndvdual votes are frst decrypted and afterwards talled. In a votng system based on homomorphc encrypton voters take turns ncrementng an encrypted vote tally usng a homomorphc operaton. They are only allowed to ncrease the encrypted tally by 1 (ndcatng a vote for the canddate) or by 0 (ndcatng a no vote for the canddate). In electons where each voter votes for one of l canddates, voters modfy the encrypted talles by addng an l-bt vector, where exactly one entry s 1 and the rest are all 0 s. They are unable to modfy the counters n any other way. Thus, homomorphc encrypton s a soluton to creatng a secret ballot system onlne, where nether votes are dsclosed to anybody else except the voter, but also ssues lke vote-buyng and coercng can be dealt wth Spam flters A spam flter mplemented n a mal server adds a spam tag to encrypted emals whose content satsfes a certan spam predcate. The flter should be allowed to run the spam predcate, but should not modfy the emal contents. In ths case, the set of allowable functons F would be the set of allowable spam predcates and nothng else. As emal passes from one server to the next each server homomorphcally computes ts spam predcate on the encrypted output of the prevous server. Each spam flter n the chan can run ts chosen spam predcate and nothng else Data management and Query processng n Clouds If all data (personal, health, fnancal etc) stored n the cloud were encrypted, that would effectvely solve ssues related to data securty. However, a user would be unable to leverage the power of the cloud to carry out computaton on data wthout frst decryptng t, or shppng t entrely back to the user for computaton. The cloud provder thus has to decrypt the data frst (nullfyng the ssue of prvacy and confdentalty), perform the computaton then send the result to the user. What f the user could carry out any arbtrary computaton on the hosted data wthout the cloud provder learnng about the user s data - computaton s done on encrypted data wthout pror decrypton. Ths s the promse of Fully homomorphc encrypton schemes. However, there has not been a systematc study that analyzes the use of 23

35 fully homomorphc encrypton for solvng database queres beyond smple aggregatons and numerc calculatons, such as selecton, range and jon queres. Wang et al [22] dscuss ths and show how to use homomorphc encrypton for supportng general database queres at a conceptual level, a scheme that supports addton, multplcaton, AND and XOR on cphertexts can also be used to process a complex selecton, range, jon or aggregaton query on encrypted data on the server sde, and to return the encrypted matchng answers n a result buffer. It s further observed n [22] that for queres wthout fxed answer szes, t s however not guaranteed all matchng answers wll be correctly constructed from the result buffer; nstead the answers can be constructed from the result buffer wth overwhelmng probablty Multparty Computaton In the settng of multparty computatons one wants dfferent partes to jontly compute some functon wthout revealng ther nputs to each other. Secure multparty computaton (MPC) can be defned as the problem of n players to compute an agreed functon of ther nputs n a secure way, where securty means guaranteeng the correctness of the output as well as the prvacy of the players nputs, even when some players cheat. Presently, to conduct such computatons, one entty must usually know the nputs from all the partcpants; however these computatons could occur between mutually untrusted partes, or even between compettors, so f nobody can be trusted enough to know all the nputs, prvacy wll become a prmary concern. Ths prvacy can be acheved through homomorphc encrypton, and the computaton tself can be expressed as a homomorphc crcut or functon Commtment Schemes Commtment schemes can be thought of lke auctons where the auctoneer wants to assure that the offers are not publcly known n the bddng phase whle at the same tme ensurng that no one s able to repudate ther own offer. Fully homomorphc operatons can be used to fnd the bdder wth maxmum offer at any tme nstant wthout revealng what the offer s. Also, we need some control mechansm so that bdder hmself cannot repudate or change the offer Prvate Informaton Retreval A Prvate Informaton Retreval (PIR) protocol allows a database user, or clent, to obtan nformaton from a data- base n a manner that prevents the database from knowng whch data was retreved. Partcularly, PIR allows a user to retreve the th bt of an n-bt database, wthout revealng the value of ndex to the database. A natural and more practcal extenson 24

36 of PIR s PBR(Prvate Block Retreval) n whch, nstead of retrevng only a sngle bt, the user retreves a th block wth d bts n t. Though the problem s currently solved by queryng dynamcally, a homomorphc scheme s a better soluton. In partcular we consder prvate nformaton retreval from ether a publc database or a database wth a group of subscrbers. Although clents can download the entre database, ths takes too long for a large database. Thus PIR that protects only the user s desrable n ths scenaro. Currently, PIR usng HE focuses on encryptng value of, and t s desrable to be able to encrypt the query tself such that the cloud can compute t on encrypted data. Gven the rate of developments n homomorphc cryptography ths seems achevable. 25

37 Chapter 4 FULLY HOMOMORPHIC ENCRYPTION SCHEME WITH SYMMETRIC KEYS We descrbe a fully homomorphc encrypton scheme wth symmetrc keys n ths chapter. We also present a formal analyss wth proofs for performance and securty of ths scheme. Later sectons of the chapter descrbe a protocol that uses the scheme for prvate data processng applcaton. 4.1 Prelmnares All computatons are performed wthn the rng Z, where N s a composte number, product N of 2m numbers. Let λ denote the securty parameter n context of makng the scheme CPA secure. In order to make the scheme wthstand ηnumber of plantext attacks we choose m and λ such that η = mln poly( λ), where poly( λ ) denotes a fxed polynomal n λ. We choose 2m odd numbers p and λ 2 bts. If λ s suffcently large we can easly choose p and q, 1 m, whch are mutually prme and of sze q, that s we take m to be a polynomal n λ to ensure enough prmes of length λ 2 bts. Let f = pq and m N = f. = 1 Lemma 1: Gven m and λ where m = O(poly( λ)), t s possble to obtan 2m odd mutually prme numbers of length λ 2 bts n polynomal tme. Proof: By Prme Number Theorem, there are approxmately ln xx Consder prmes of length b bts, then there are b 2 ln 2 b prme numbers p x. prmes of length maxmum b bts. Thus, total number of prmes of length exactly b bts are b 2 2 b ln 2 ln 2 b 1 b 1 b b b 2 ln 2 b b 1 =..2 ln 2 b( b 1) b 1. 26

38 Thus, when we are fndng 2m prmes of length b bts, at any pont there are at least 1 b 2 ln 2 b( b 1) b 1 m..2 2 prmes left of length b bts. Snce total numbers of exact length b bts s b b 1 b = 2, the probablty that a random number chosen s prme s 1 b 2 ln 2 b( b 1) 2 b 1 m..2 2 b 1 1 b 2 2. ln 2 b( b 1) 2 = b 1 m. 1 2λ 8 m For b= λ 2, ths gves. λ 4 ln 2 λ( λ 1) 2. If m s a polynomal n λ and λ 4 m 2 then ths probablty s non-neglgble. Prmalty of a number can be checked n polynomal tme, and we are choosng 2m numbers that are mutually prme, the test can be done n tme O( m ) whch s actually O(poly( λ )). Further we lay the foundaton of the securty of the scheme whch s derved as a reducton to the hardness of large nteger factorzaton problem. Lemma 2: Factorng N n polynomal tme s nfeasble f Large Integer Factorzaton s nfeasble. Proof: Suppose A s an adversary whch can factorze a number n nto ts two prme factors p and q of approxmate equal bt length n polynomal tme wth probablty of N s a number wth at least two prme factors. Thus, the probablty p '. Each factor f p '' that an adversary can factorze f s lesser than p '. Snce, N has m such factors, the probablty wth whch the adversary can factorze N s m m p '' ( p '). If p ' s neglgble, the probablty of factorng = 1 N n polynomal tme s also neglgble. Matrces over Z N The proposed scheme uses nvertble matrces as keys wth elements from the rng Lemma 3 below demonstrates the condton whch must be satsfed for a matrx to be nvertble n Z. N Z. All matrx operatons nvolved n ths scheme are performed modulo N at N element level. Calculatng nverse of a matrx nvolves preparng transpose of adjonts (whch 27

39 too are calculated modulo N) and then scalar multplyng by multplcatve nverse n the determnant of the matrx. Lemma 3: A matrx K M ( ) 4 Z N s nvertble f and only f K 0 and gcd( K, s determnant of K. K N Z of N )=1, where Proof: The process of fndng nverse of a matrx nvolves multplcatve nverse of the determnant of the matrx, whch exsts ff the determnant value and N do not have a factor n common. Also, K 0 elmnates the dvson by zero condton. Corollary: No two rows or columns of the matrx K should be lnearly dependent for t to be nvertble. Ths s to ensure that K 0. Lemma 4: Let N m = p q, where p and = 1 q are mutually prme odd numbers of length λ 2 bts, a random matrx K M ( ) 4 Z N s nvertble wth non-neglgble probablty. Proof: As seen n Lemma 3, we need to choose a matrx K M ( ) 4 Z N such that. Snce the dstrbuton of values of of all matrces n M 4 ( Z N ) s not known, we cannot have a formal proof for ths Lemma. Hence we provde an analytcal proof. We pck random 100 matrces from the feld and check for ts nvertblty. The experment s repeated fve tmes for a partcular value of N, and s performed for varous values of N. Fg 4.1 shows the number of nvertble matrces varyng wth value of N. Fg 4.1(a) shows that for small values of N the probablty of a random matrx beng nvertble s not hgh, but as we ncrease N, ths probablty shoots up. The 2m factors of N here are all prme numbers. Fg 4.1(b) shows when all 2m factors are mutually prme numbers, the probablty s as hgh as s Fg 4.1(a). Hence we can deduce that probablty of fndng an nvertble matrx s non-neglgble for large values of N. 28

40 Fgure 4.1(a) Varaton of Number of nvertble matrces wth value of N, all factors prme Fgure 4.1(b) Varaton of Number of nvertble matrces wth value of N, all factors mutually prme 4.2 Desgn Concept The basc concept s to translate operatons on ntegers n a rng Z to operatons n N rng M ( ) 4 Z. Thus, all operatons are on square matrces of sze 4, whch are suffcently N small to be used practcally. In the context of makng a homomorphc scheme to be useful enough, we propose a scheme wth followng set of operatons: Cryptographc functons: Functons to generate the symmetrc key, encryptng a plantext, and decryptng a Cphertext. Evaluaton operatons: To perform any arbtrary operaton on data homomorphcally, we need to translate t nto these basc evaluaton operatons and then evaluate. 29

41 Applcaton specfc functons: These functons provde facltes, lke key translate functon, recrypton etc, for the scheme s adaptaton to an applcaton scenaro. The man dea s to construct a matrx wth egenvalue equal to the plantext x. Ths can be very smply acheved wth matrces of sze 2, n rng M ( ) 2 Z where N=pq, p and q beng two N large prme numbers, as follows: x 0 E1( x) = mod N 0 r 1 The major fallacy here s that x s egenvalue of egenvector v1,0 = 0. An adversary wth a cphertext has to smply solve a lnear equaton system E1( x). v1,0 = x. v1,0 to obtan x. to x mtgate ths problem we can apply a smlarty transform to 0 nvertble matrx k, called the key. The scheme s now 0, governed by an r 1 x 0 E2 ( x, k) = k k mod N 0 r Though an adversary now cannot establsh a lnear equaton system for transformed egenvectors, t can very well derve the characterstc equaton det( zl E ( x, k )) 0 mod N z ( x r) z xr 0 mod N Though t s nfeasble to solve ths equaton wthout factorzng N, whch s hard. Yet, a chosen plantext attack s possble by merely two chosen plantext-cphertext pars. To thwart the chosen plantext attack, we need to assocate x wth two egenvectors v 1 and v 2. All plantexts should have same v 1 so that homomorphc operatons are possble. Dfferent v for dfferent plantext s suffcent to wthstand the chosen plantext attack. We 2 dscuss ths securty aspect formally n a later secton. Havng two egenvectors mples ncrease n the dmenson of matrces. Now, we consder matrces of sze 4, and also strengthen the scheme by ncreasng the number of factors of N. 30

42 4.3 The Cryptosystem Key generaton The secret key of the proposed scheme s an nvertble matrx n Z N, of sze 4 hence does not nvolve any computaton theoretcally. Yet the process of choosng the key matrx requres more elaboraton. We can easly use Lemma 3 and ts corollary to check nvertblty of a matrx. There can be three approaches: 1. Sequentally search the entre space of all possble 4x4 matrces n Z begnnng at N any random pont and stop at the frst nvertble matrx, returnng ths as key. The random pont of startng the search could be very crucal n decdng the tme taken for search. 2. Randomly pck a matrx, check f t s nvertble then search s over. Or repeat untl an nvertble matrx s found. The complexty s that of calculatng determnant of a matrx. 3. Instead of just randomly pckng a matrx and checkng whether t s nvertble or not, or gong through an entre lst, we have a mddle path. We buld the matrx by random elements and pause as soon as ts non-nvertblty s proved, restart all over. Ths has lesser computatonal cost than fndng determnant of entre matrx snce t uses the results of lemma 3 and ts corollary. In effect the key matrx n our scheme s constructed usng elements from a pseudo-random sequence of numbers, convert them to modulo N. Matrx s constructed row wse, dscardng any element (not the entre matrx) whch would make a row lnearly dependent on a prevous row. Also, a row or column of all zeros s avoded. Durng constructon of last row we also check for columns to be lnearly ndependent from each other. When an nvertble matrx s found t s publshed as key. Even ths approach matches tme complexty of 2 nd approach n worst cases. Ths approach s used to mplement the 3 rd step n KeyGen algorthm, as shown below: 31

43 Keygen 4 (m, λ ) 1. Choose 2m odd numbers p and q, 1 m, whch are mutually prme and of sze λ 2 bts. 2. Let f = pq and m N = f. = 1 3. Pck an nvertble matrx k of sze 4, k M ( ) 4 Z N 4. Compute ts nverse as k -1 modulo Z. N 5. Output 1 f N k k as Ktuple.,,, Encrypton/Randomzaton The plantext x Z s encrypted or randomzed nto a matrx N C M ( ) 4 Z N. It s ndeed a smlarty transformaton of a dagonal matrx ( x, x1, x2, x 3), where x,1 3 are solutons to sets of lnear congruences computed usng Chnese Remander Theorem. The congruences depend on plantext x and a random values r, r Z, r x. Frst we construct a 3x3 matrx as N x r r r x r r r x Now we pck m rows at random from ths matrx to construct a mx3 matrx and call t X. Ths ensures that each row of X has only one element equal to plantext x. each column of X s used to form the smultaneous congruences. The algorthm s as follows: Enc 4 (x,ktuple) 1. Choose a random value r Z, r x N 2. Construct a matrx X ( m 3) such that each row has only one element equal to x, and other two equal to r. 3. Usng Chnese Remander Theorem set x,1 j 3 to be soluton to the smultaneous congruences x X mod f,1 m. j j j 4. Cphertext 1 C = k * dag( x, x1, x2, x3)* k 32

44 4.3.3 Decrypton Ths s a sngle step process whch nvolves applyng nverse transformaton on the Cphertext matrx and then extractng the plantext as frst element of the dagonal matrx obtaned. Dec(C, Ktuple 2-4 ) 1 Output the plantext as x = ( kck ) 11. The correctness of the decrypton algorthm s proven below. Lemma 5: Encrypton scheme (KeyGen, Enc, Dec) s correct. Proof: We know that k* k -1 = k -1 * k =I and for any matrx A, A*I=I*A=A. It s easy to note that Dec(C, k) = 1 ( k * C * k ) 11 = ( k * k * dag( x, x, x, x )* k * k ) = ( dag ( x, x1, x2, x 3)) 11 = x Ths proves the lemma. Example 4.1 We present here a toy example for llustraton of the method by selectng lowest prme numbers. Let m=2, let p={3,5} and q={7,11}. Ths gves f 1 = 21, f 2 = 55 and N= For these parameters, suppose the Keygen functon generates a key k = wth nverse as 1 k = To encrypt plantext x=257, we construct dagonal matrx as follows: 33

45 Select random number r = 291. The matrx X s X = Ths gves us the lnear congruences as follows: 291mod 21 x 291mod mod 21 x, 1 x, mod 55 x2 291mod 21 x 257 mod 55 x 3 3 The soluton to congruences are 291, 236 and 312 respectvely. Encrypton proceeds as: = = C k * dag(257, 291, 236,312)* k Decrypton s done as x = [ k * C * k ] 11 = = Evaluaton There s only one general evaluaton functon defned for computaton f. It s expected that f be translated nto basc operatons on ntegers. Actual mplementaton nvolves analogous operatons on matrces. Namely, to perform addton/subtracton/multplcaton/dvson of two numbers homomorphcally, we add/subtract/multply/dvde ther cphertexts smply as two matrces. Y f C1 C 2 C n Eval(,,... ) performs computaton f on operands C 1, C 2...C n. Our evaluaton functon doesn t requre any evaluaton key. Note that all operatons on matrces are also performed wthn the rng M 4 ( Z N ). To llustrate homomorphc operaton, we present followng example. Example 4.2 Consder addton of two ntegers. Let m=2, let p={3,5} and q={7,11}. Ths gves f 1 = 21, f 2 = 55 and N= For these parameters, suppose the Keygen functon generates the key: 34

46 k = wth nverse as 1 k = To add two numbers, vz 5 and 12, we encrypt them usng key k, and obtan followng cphertexts. Enc(5,k)= C = , Enc(12,k)= C = Now, we add the cphertexts nstead of addng plantexts C1 + C2 = = C The resultant C s treated as a cphertext and decrypted as usual y = ( k.( C1 + C2) k ) 11 = = As can be easly observed that the decrypton (17) s actually the result of addton of the two plantexts (5 and 12). Thus llustratng that the scheme s addtvely homomorphc. Now, we multply the cphertexts C1 and C

47 C1 * C2 = = C The resultant C s treated as a cphertext and decrypted as usual y = ( k.( C1 + C2) k ) 11 = = As can be easly observed that the decrypton (60) s actually the result of multplcaton of the two plantexts (5 and 12). Thus llustratng that the scheme s multplcatvely homomorphc. Thus, our scheme s fully homomorphc Selectng N We assume a securty parameter λ n context of makng the scheme IND-CPA secure, that s n order to wthstand η number of plantext attacks we choose m and λ such that η = mln poly( λ), where poly( λ ) denotes a fxed polynomal n λ. N s computed as product of 2m numbers. Xao et al n [3] propose all these 2m numbers to be dstnct and prme. We modfy or relax ths requrement to have 2m mutually prme numbers. Moreover, [3] allows N to be even (that s prme number 2 s allowed), whch s dropped n our scheme. Thus, N s product of 2m numbers whch are odd, mutually prme. Furthermore, the fact that these 2m numbers could now be composte mples that total number of prme factors of N s more than 2m, thus makng scheme more secure (now N needs to be factorzed nto 2m composte factors). As we wll dscuss n a later secton that securty of the scheme s derved from the hardness of the problem of factorzng a large nteger. The orgnal scheme [3] has a vulnerablty that capturng few cphertexts may dsclose the approxmate length of N n bts. In order to beneft from hardness of factorzaton we ncrease value of m, mplyng that we ncrease the number of factors of N. But m s bound by length of N, hence to ncrease the number of prme factors of N, we can make these 2m 36

48 factors composte. Thus, we wll have beneft of ncreasng the number of prme factors of N wthout ncreasng m. 4.4 Applcaton-specfc Prmtves The proposed scheme has prmtves whch would be useful when usng ths scheme for delegaton of computaton. These prmtves derve ther functonalty from propertes of matrces but are homomorphc n nature. They can be combned wth homomorphc encrypton or other encrypton technques for certan practcal applcatons Lock-Unlock Operatons In order to evaluate a functon homomorphcally we need all nputs to be encrypted usng same key. Moreover, decrypton should also be performed usng same key for retrevng result. Ths leads to natural askng for a method to calculate homomorphcally on cphertexts encrypted by altogether dfferent keys, or atleast related keys but not same key. In ths secton we ntroduce prmtves whch can be used to convert cphertexts from one key to cphertext of other key. Also, how to generate a set of related keys so that operatons can be performed on cphertexts encrypted by them can be used n computatons n some order and fnal result s decrypted easly usng yet another key. For any matrx A and an nvertble matrx k, Lock operaton s defned as Lock(A, Ktuple 2-4 ) Output the matrx as B = k 1 * C * k. Thus, Lock outputs a randomzaton of the nput matrx under k. It s same as the last step of encrypton algorthm. Analogously, Unlock nverts ths smlarty transformaton as n decrypton algorthm. Unlock(B, Ktuple 2-4 ) 1 Output the matrx as A = k * C * k. The exact applcaton s dscussed n next chapter. The beauty of ths scheme s ts smplcty and adaptablty to a multkey scenaro. Also, the operatons are not to be performed necessarly n the order of Lock and then Unlock. We can also have Unlock followed by Lock (e Unlock(B,k) to obtan A and then Lock(A,k) to get B.) 37

49 4.4.2 Key Set Generaton For certan mult-user scenaros we need symmetrc keys of dfferent levels, n other words we need ndvdual and group keys separately. Yet we desre to have some nteroperablty among these. Functon KeySetGen generates the key matrces whch can be used for encrypton and Lock-Unlock operatons wth the property that t produces a set of matchng keys. A set ( k, k ', k '', k ''') s sad to be a set of matchng keys f k = k '* k ''* k ''' holds, where k s generally referred to as a master key. Ths s a three level set. We may also use a two level set n certan applcatons, that s ( k, k ', k '') where k = k'* k'' KeySetGen s (l, m, λ ) 1. Choose 2m odd numbers p and λ 2 bts. f 2. Let = pq and N = f. m = 1 (1) (2) ( l) ( ) 3. Pck l nvertble matrces ( k, k,..., k ) of sze s, k M ( Z ) 4. Compute k = k 5. Output l = 1 ( ) f N k k k k as Keyset. (1) (2) ( ),,,(,,..., l ) q, 1 m, whch are mutually prme and of sze s N Ths noton of matchng keys s also useful when we want to lnk computatons n some order, and at every step of computaton the nput argument s encrypted usng a dfferent key. 4.5 A Multparty Protocol for Prvacy Preservng Data Processng System Model We consder a system model smlar to [24] where cooperaton of several enttes makes the arbtrary tmes of the homomorphc calculatons more effcent. We drop the assumpton of non-colludng enttes; rather we present a scheme whch s colluson-resstant. We assume the processng to be done on data as arthmetc operatons wthn rng Z N. 38

50 Fgure 4.2 Prvacy Preservng Data Processng: System Model and Protocol The role and functons of enttes (refer Fg 4.2) nvolved n data processng are as follows: 1. Data owner- possesses raw data whch s not dsclosed to others. Data owner s responsble for encryptng and maskng data and has both encrypt and lock functonalty. 2. Processng center- has two dvsons. The delegator dvson tells whch data s requred for certan computaton and how to mask t. It has keyset generaton functonalty. The mappng dvson maps results from computaton center to be consumed by certan user. It has only Lock functonalty and obtans key from Delegator dvson. 3. Computaton center- performs calculatons whch are requested by the data user. It has access to masked data but not keys. It receves cphertexts and formula. Sends 39

51 fnal result to mappng dvson of processng center. It has only evaluaton functonalty. 4. Data user has ntenton of performng some computaton on data currently owned by data owner. Data user receves only the fnal result and cannot know any ntermedate result or raw data. It has functonalty of decrypton. Our goal s computng f(p) where f s a functon compose of addton and multplcaton, and P=(x 1,x 2, x n ) s nput data. We need to compute the result whle keepng P secret. Also, functon f s dvded nto several addtons and multplcatons, and computaton s executed step by step (Note that ths s same as Eval functon). Securty of the scheme s ntutve as entty whch can access encrypted data does not have decrypton key, and entty wth decrypton key are prohbted from accessng encrypted data. In a publc key cryptosystem ths arrangement would be susceptble to a colluson attack f two enttes possessng decrypton key and encrypted data decde to collude. But as we wll see here these keys are not same n ths scheme and hence t s colluson-resstant Multparty Protocol The protocol (refer Fg 4.2) for evaluatng a functon f(x 1,x 2, x n ) s: 1. Data owner has data encrypted by key k (1) (1), as Y Enc( x, k ) 2. Delegator prepares a lst of data whch s requred for computaton and sends t to data owner. Actually t can send the requred ndces 1 n. [Note that the sent ndces have been renumbered for comprehensblty as 1 n and need not be actually contnuous.] (2) 3. Data owner masks the data as Z Lock( Y, k ) 4. Computaton center performs f to produce result as Z Eval( f, Z1, Z2... Z n ) and sends t to Mappng dvson. (3) 5. Mappng dvson converts Z as Y ' Lock( Z, k ) 6. Data user retreves result as y Dec( Y ', k) Here, the keys k (1), k (2), k (3) and k are matchng keys wth k as master key, generated by KeySetGen. As can be observed no key s sent to the Computaton Center. The keys of data user and mappng dvson f combned cannot reveal k (1), the actual encrypton key. Thus, the protocol s resstant to colluson. 40

52 4.6 Performance Complexty of Algorthms We need to choose 2m prmes n the encrypton scheme. The encrypton algorthm requres both two matrx multplcatons and also an algorthm to solve the m lnear congruences that defne the values a, b, and c. It takes tme O( mλ ) to construct the soluton to these lnear congruences. Multplcaton has tme complexty O( mλ log mλ log log mλ ). So the overall complexty for encrypton s O( mλ log mλ log log mλ ). The decrypton algorthm nvolves only two matrx multplcatons, thus havng same tme complexty. Consderng the complexty of the multplcaton and addton algorthms, observe the sze of the ntegers n the rng Z. The value N s the product of m numbers of length λbts, so t s N approxmately an mλ bt number. There exst effcent algorthms for multplcaton of b bt ntegers wth complexty O( blogb log log b ). For b = mλ ths becomes O( mλ log mλ log log mλ ). Addton s lnear and thus has complexty O( mλ ) Computatonal Overhead Homomorphc evaluaton of a functon s effcent f t has a low computaton overhead. The overhead s defned as the rato of the tme taken for a computaton homomorphcally over cphertext to the tme taken to compute on plantext. If a computaton conssts only of addton, addng two ntegers homomorphcally n our scheme mples addng two matrces. Ths gves a constant overhead of 16, snce we have to add two matrces of sze 4, contanng 16 numbers. If a computaton conssts only of multplcaton, multplyng two ntegers homomorphcally mples multplyng two matrces, whch means 64 addtons and 64 multplcatons. Snce N s a b bt number, cost of multplyng two numbers s O(b 2 ). Thus gvng computaton overhead O(b) or O( mλ ). Hence, we conclude that our scheme has a worst case computaton overhead O( mλ ) that s varyng lnearly wth the securty parameter Plantext Expanson An nteger s encrypted nto a matrx of 16 numbers, resultng nto a constant expanson factor of 16. It does not vary wth bt length of N, and s ndependent of other securty parameters. 41

53 Table 4.1 shows comparson between our proposed scheme and other popular FHE schemes wth respect to the performance characterstcs. TABLE 4.1 COMPARISON OF PROPOSED SCHEME WITH OTHER FHE SCEHMES DGHV BGV Our Scheme Key Sze 10 O( λ ) Equal to plantext O( mλ ) Computaton Overhead 3.5 Ω ( λ ) 2 O ( λ ) O ( mλ ) Plantext Expanson O(log λ ) 3 O( λ ) O(1) actually Securty We shall dscuss securty of our scheme n terms of key recovery, onewayness, semantc securty and ndstngushablty. Then we proceed towards provng that the scheme s CPA secure Securty aganst Key Recovery In plan words ths means that the knowledge of the cpher text must not allow adversares to retreve the key. Snce for our scheme cphertext does not reveal anythng about key except ts length, securty aganst key recovery amounts to securty aganst brute force attack. Key for our scheme s a l l matrx n rng Z N, whch leads to 2 l N possbltes of a key matrx. The probablty that a random generated matrx s a key s 1 l N 2. Checkng whether a random matrx s the key or not, nvolves two matrx multplcatons whch mples Ω(l 2 ) operatons per multplcaton. Gven N s b bts long, the complexty of brute force attack s Ω 2 2 bl ( l.2 ). Table 4.2 gves the equvalent securty level for dfferent parameter values. It can be easly observed that our scheme s secure aganst brute-force attack even wth smallest parameters. 42

54 TABLE 4.2 BRUTE-FORCE SECURITY OF PROPOSED SCHEME Length of N (n bts) Equvalent securty One-way securty Ths mples that gven a cphertext an adversary should not be able to retreve the correspondng plantext. Snce cphertext s a randomzaton of the plantext, and not a drect lnear(or polynomal) functon of the plantext, n order to retreve plantext from cphertext an adversary has to nvert the smlarty transformaton and then only can any other lnear algebrac methods can be useful to retreve plantext. Let us assume that certan permutaton of dentty matrx K I can be used to nvert the transformaton by followng operaton: C'= K I C K -1 I,where C s gven cphertext. To obtan plantext from C' the adversary must be able to factorze N, that s adversary can retreve plantext only by solvng congruences usng Chnese Remander Theorem, but for that t needs factors of N. Thus, oneway securty of our scheme can be reduced to hardness of factorzaton N. As per Lemma 2, ths cannot be done wth a nonneglgble probablty. Thus, onewayness securty reduces to hardness of Large Integer Factorzaton problem. Formally we prove ths securty usng followng lemmas. Lemma 6: For 1<<N, there exsts a unque element k GL 4 (Z N ) so that k = mod p, k = I mod q, k = I mod f j, j , where I s the dentty matrx n GL 4 (Z N ). Addtonally, k =. 1 k 43

55 Proof: The frst clam follows drectly from Chnese Remander Theorem, as p s a factor of N, and f j =p j q j s also a factor of N. Further, we see 2 k = whch mples k =. 1 k Lemma7: Gven plantext x, key k and random element r, there exsts y and random element s such that E(x,k)= E(y, k k). Proof: Here we note that the dagonal matrx constructed durng encrypton of plantext x s lke X = dag ( x, a, b, c) and t satsfes the congruences X = dag( x, a, b, c ) mod f, so k X k p k dag x a b c k p dag a x b c p mod =. (,,, ). mod = (,,, ) mod Also, k X k q = I X I q = X q and smlarly 1.. mod.. mod mod k X k f = X f j. 1.. mod j mod j, Let the dagonal matrx constructed durng encrypton of plantext y be Y = dag ( y, a ', b ', c '). Then the set of congruences Y = dag( a, x, b, c ) mod p, Y = X mod q, andy = X mod f j has a unque soluton by the Chnese Remander 1 1 Theorem. Ths soluton also satsfesy = k. X. k k. Y. k = X. Ths mples E x k = k X k = k k Y k k = E y k k, whch proves the Lemma (, ).... (, ) By Lemma 7 we deduce that an adversary has no polynomal tme method to dfferentate between the cphertexts of two gven plantexts x and y f key s not known. Hence, the onewayness property of our scheme s establshed Indstngushablty Intutvely, a symmetrc encrypton scheme s sad to exhbt Indstngushablty property f gven a cphertext of one of the two messages selected by challenger, t should be hard for the adversary to guess whch of two messages corresponds to the cphertext. The defnton 44

56 nvolves a smple game where the adversary s tested for the ablty to guess whch message s encrypted n a gven cphertext. The IND securty game s defned as: 1. Attacker produces two messages m 0 and m The challenger returns the challenge cphertext c = Enc(m b,k), b s 0 or Attacker outputs b. Attacker or adversary s a wnner f t returns b =b wth probablty more than 0.5 n polynomal tme. Snce the plantext space s unform, that s all plantext have equal bt length, Indstngushablty mples semantc securty. Hence, the proposed scheme s semantcally secure Securty aganst Known Plantext and Chosen Plantext Attack Plantext attack securty captures the noton of an adversary who has the ablty to eavesdrop on arbtrary messages between a sender and recever before attemptng to decrypt a message. The dfference between known-plantext attack and chosen-plantext attack s that latter s adaptve one. The noton of securty aganst the Known plantext attacks s called ndstngushablty under Known cphertext,ind-kpa, defned as: 1. Challenger runs KeyGen 2. (Query Phase I) Attacker s gven access to Enc(.,k) oracle. 3. (Challenge Phase) Attacker produces two messages m 0 and m 1. The challenger returns the challenge cphertext c = Enc(m b,k), b s 0 or (Query Phase II) Same as Query Phase I. 5. Attacker outputs b. Attacker or adversary s a wnner f t returns b =b wth probablty more than 0.5. Ths game can be repeated polynomal number of tmes. For the adaptve case, the IND-CPA game s the same, except that Attacker generates the next par of message only after seeng the prevous cphertext. If an encrypton scheme s determnstc (the Enc algorthm s determnstc) then there s a unque, consstent encrypton for every message. A determnstc encrypton scheme cannot be IND-KPA or IND-CPA secure snce we can smply ask for the encrypton of the two challenge messages durng the oracle access step and compare the 45

57 oracle's response to the challenge cphertext. Snce the proposed scheme s not determnstc, we can clam t to be IND-CPA secure. Next we prove ths. Lemma 8: Gven a plantext x, ts encrypton C wth random number r and a key k, any oracle Enc(.,k) wll return C wth a probablty 1 N *3 m. Proof: The fact to be noted s that the encrypton depends on number r whch s chosen at random (n step 1 of encrypton) by encrypton oracle. Snce r Z N, the probablty that same r s chosen s 1 N,under a unform probablty dstrbuton for selectng random number. Even when same r s chosen, the probablty that same m rows of X wll be selected (n step 2 of Encrypton) to construct lnear congruences s 1 3 m. Thus, probablty of producng same cphertext for a gven plantext and a key s 1 N *3 m. Hence, the clam s proved. From Lemma 8 we can observe that even for the smallest possble values of N and m (respectvely 1155 and 2), the probablty s Thus, the scheme s IND-KPA secure. The proposed scheme s CPA secure f the number of chosen plantext-cphertext pars s less than the number of factors used n lnear congruences durng encrypton. In other words, for m ' m the scheme s CPA secure for m ' plantext-cphertext pars. Ths s so because more than m pars chosen adaptvely can help adversary to factorze N, hence break the scheme. 4.8 Propertes As dscussed n Secton 3.2, the propertes of a Homomorphc scheme decde the category of applcatons t can be used n. Hence, t s mportant to dscuss the propertes of our proposed scheme n the lght of ts deployment to practcal use. They are: 1. Crcut/functon prvacy All ntermedate and fnal results of any computaton are element of M ( ) 4 Z. Hence, the vtal nformaton lke number of parameters, N 46

58 sze of crcut, ntermedate results or purpose of functon cannot be deduced from the result tself. 2. Multple Users Our scheme can be deployed for multple user computatons. We have shown n Secton 4.4 a possble method to do so. 3. Parallel computaton The cryptographc prmtves as such do not have a scope of parallelzaton. But, complexty of all algorthms are dependent on the matrx operatons performed theren. These can be optmzed by parallelzng the algorthms for addton and multplcaton. 4. Unlnkablty The output of encrypton algorthm s a 4x4 matrx, ndstngushable from the output of the evaluaton algorthm, hence s the unlnkablty property of our scheme. 5. Mult-hop The output of algorthm Eval s a 4x4 matrx whch can agan be nput to Eval algorthm wthout any ntermedate (extra) operaton, thus makng possble multple hops of evaluaton to be performed n successon. 4.8 Implementaton Results We mplement our algorthm usng Java and evaluate ts executon tme. The computatons were performed on a 3.40 GHz Intel Core processor. Table 4.3 lsts the executon tme for key generaton, encrypton and decrypton for varous lengths of N. TABLE 4.3 EXECUTION TIME OF KEY GENERATION, ENCRYPTION AND DECRYPTION FOR VARIOUS LENGTHS OF N N (n bts) Key Generaton Encrypton Decrypton ms 31 ms 17 ms ms 193 ms 124 ms s s 6.45 s The data for homomorphc evaluatons was gathered from runnng addtons and 100 multplcatons of randomly selected numbers of varyng length. Table 4.4 lsts the executon tme requred for homomorphc addton and multplcaton. 47

59 TABLE 4.4 EVALUATION TIME OF ADDITION AND MULTIPLICATION FOR DIFFERENT LENGTHS OF N N (n bts) Tme for Addton (10000) Tme for Multplcaton (100) ns 8.98 ms ns 187 ms ns 337 ms ns 1.9 s ns 5.4 s For the purpose of comparson, we pck the results publshed n [20], a very practcal mplementaton of BGV scheme. In [20], tme taken to compute mean of 100 numbers of sze 128-bts s 20 mllseconds, and for varance s 6 seconds. They leave dvson n both the cases on the data user, and to allow mean computaton t requres a 30-bt prme number as secret, whle for varance t s 58-bt long. In our mplementaton, computaton of mean takes 1.38 mllseconds and of varance takes 6.83 seconds, ncludng dvson operaton. 4.9 Varants We present here two varants of the scheme. 1. Frst varant nvolves larger key sze, that s matrces of sze 8. Ths ncreases computatonal complexty of the algorthms, but the advantage ganed s not much. It obvously ncreases the cphertext space thereby contrbutng to securty. In ths case encrypton algorthm wll nvolve two random numbers. We present here only the encrypton algorthm; other algorthms are analogous and can be understood accordngly. 48

60 Enc 8 (x,k) 1. Choose random values r 1 and r 2, r 1, r 2 ZN, r 1, r 2 x 2. Construct a matrx X ( m 7) such that each row has only one element equal to x, three elements equal to r1 and other three equal to r2. 3. Usng Chnese Remander Theorem, set x,1 7 to be soluton to the smultaneous congruences x = X mod f,1 m. j j 4. Cphertext, = 1 C k * dag( x, x1, x2, x3, x4, x5, x6, x7 )* k Here, our am s to gve an dea how the proposed scheme can be generalzed to have larger key sze, hence better securty. 2. Instead of takng a large composte number N as base of rng Z, t can be chosen as a N composte power of 2. Algorthms for all prmtves reman exactly the same, except the numbers p and q. They are now selected as powers of 2. All p and q are unque. For example, for m=2 we can choose p={2, 32} and q={128,8}. Here, the securty parameter λ can be vewed as the maxmum number of bts n a plantext. Ths can further be combned wth packng bts of plantext nto blocks of λ bts each. But t would requre an evaluaton functon whch can map bnary operatons on bts to operatons on matrces (or ntegers). 49

61 Chapter 5 CONCLUSION AND FUTURE WORK Scope and promses of homomorphc cryptography n cloud computng envronments cannot be gnored. Researchers all over the world are takng great nterest n recent years to develop homomorphsms that can be deployed practcally. Much of the focus s on mpartng homomorphc capabltes to publc key cryptosystems, whle some applcatons can as well be handled wth a symmetrc key scheme. Hence, our efforts have been to propose deas as to how symmetrc keys and smple matrx-based operatons could also lead to feasble schemes for cloud computng, specfcally for delegaton of computaton and prvate data processng n clouds. communcaton costs nvolved n cloud computng are often large, to make up for ths we emphasze on havng low tme complexty for cryptographc prmtves. We have proposed a scheme wth a very effcent decrypton method hence makng t affordable for computatonally weak devces, lke a moble devce takng results from a computaton centre of the cloud and decryptng t. We have proposed applcaton-specfc prmtves makng t easy to deploy to data processng applcatons. The evaluaton functons are effcent and smple makng t easy to carry out any arbtrary computaton on data. We also suggest how to use symmetrc encrypton wth multple users, whch s clearly key effcent as compared to the popular asymmetrc approaches for multple user applcatons. The scheme can be further optmzed n matrx multplcaton aspect. Decrypton need not carry out complete multplcaton of three matrces, rather the am s to derve only the frst element of the product matrx. The scheme can be modfed to operate on polynomals nstead of workng wth matrces, dervng dea from [21]. Applcaton to Prvate nformaton retreval, searchng ndex of an encrypted database and e- votng can be useful enough. Desgnng protocols for the same could be a further contrbuton. The proposed scheme does not have any scope for targeted malleablty or verfablty yet. Improvement n the scheme or ntroducton of some new prmtves for verfable computaton can be apprecable effort. 50

62 References [1] C. Gentry. A fully homomorphc encrypton scheme. PhD thess, Stanford Unversty, Sep Avalable at [2] V. Vakuntanathan, Computng blndfolded: new developments n homomorphc encrypton, Proceedngs of the 2011 IEEE 52nd Annual Symposum on Foundatons of Computer Scence, pp 5-16, [3] L. Xao, O. Bastan and I-L. Yen. An effcent homorphc encrypton protocol for multuser systems, Avalable at [4] R. Rvest, L. Adleman, and M. Dertouzos. on data banks and prvacy homomorphsms, Foundatons of Secure Computaton, pp , [5] R. Rvest, A. Shamr, and L. Adleman, A method for obtanng dgtal sgnatures and publc-key cryptosystems, Communcatons of the ACM 21 (2): , [6] P. Paller, Publc-key cryptosystems based on composte degree resduosty classes, Proc of EUROCRYPT-99, Sprnger, pp , [7] N. P. Smart and F. Vercauteren. Fully homomorphc encrypton wth relatvely small key and cphertext szes, Publc Key Cryptography PKC 2010, Berln, Hedelberg, New York, [Lecture Notes n Computer Scence, vol 6056, Sprnger Verlag pp ] [8] C. Gentry and S. Halev. Implementng Gentry's fully homomorphc encrypton scheme. EURO-CRYPT 2011, LNCS, Sprnger, K. Paterson (Ed.),2011. [9] D. Stehle and R. Stenfeld. Faster fully homomorphc encrypton. Cryptology eprnt Archve Report 2010/299. [10] N. P. Smart and F. Vercauteren, Fully homomorphc SIMD operatons, IACR Cryptology eprnt Archve, Report 2011/133. [11] C. Gentry and S. Halev, Fully homomorphc encrypton wthout squashng usng depth-3 arthmetc crcuts, Cryptology eprnt Archve, Report 2011/279 [12] C. Gentry, S.Halev and N.P. Smart, Better bootstrappng n fully homomorphc encrypton., Cryptology eprnt Archve, Report 2011/

63 [13] M. van Djk, C. Gentry, S. Halev, and V. Vakuntanathan. Fully homomorphc encrypton over the ntegers, Proceedngs of Eurocrypt-10, Lecture Notes n Computer Scence, vol 6110,. Sprnger, pp 24-43, [14] J.-S. Coron, A. Mandal, D. Naccache, and M. Tbouch. Fully homomorphc encrypton over the ntegers wth shorter publc-keys, Advances n Cryptology - Proc. CRYPTO 2011, vol of Lecture Notes n Computer Scence. Sprnger, [15] G. Chunsheng. Attack on fully homomorphc encrypton over the ntegers. Aavalable at [16] J. Coron, T. Lepont and M. Tbouch. Batch fully homomorphc encrypton over the ntegers Avalable at [17] J. Km, M. S. Lee, A. Yun and J.H. Cheon. CRT-based fully homomorphc encrypton over the ntegers, Avalable at [18] Z. Brakersk and V. Vakuntanathan, Effcent fully homomorphc encrypton from(standard) LWE, n Foundatons of Computer Scence, Also avalable at Cryptology eprnt Archve, Report 2011/344. [19] Z. Brakersk, C. Gentry, and V. Vakuntanathan. Fully homomorphc encrypton wthout bootstrappng, Cryptology eprnt Archve, Report 2011/277. [20] K.Lauter, M.Naehrg and V.Vakunthnathan, Can homomorphc encrypton be practcal?, Proc of 3rd ACM workshop on Cloud Computng Securty Workshop, pp , [21] A Kpns and E Hbshoosh. Effcent Methods for Practcal Fully-Homomorphc Symmetrc key Encrypton, Randomzaton and Verfcaton. Avalable at [22] S.Wang, D. Agrawal and A. El Abbad, Is Homomorphc Encrypton the Holy Gral for Database Queres on Encrypted Data?, Techncal report, Department of Computer Scence, Unversty of Calforna. Feb [23] D. Boneh, G Segev and B. Waters, Targeted Malleablty: Homomorphc Encrypton for Restrcted Computatons, IACR Cryptology eprnt Archve Report 2011/

64 [24] S. Tsujy, H. Doz, R. Fujtay, M. Gotashy, Y. Tsunoo and T. Syoujx, Prvacy Preservng Data Processng wth Collaboraton of Homomorphc Cryptosystems, Workshop on Appled Homomorphc Cryptography, Japan,