A Survey of Homomorphic Encryption for Nonspecialists

Hindawi Publishing Corporation EURASIP Journal on Information Security Volume 2007, Article ID 13801, 10 pages doi:10.1155/2007/13801

Review Article A Survey of Homomorphic Encryption for Nonspecialists

Caroline Fontaine and Fabien Galand

CNRS/IRISA-TEMICS, Campus de Beaulieu, 35042 Rennes Cedex, France

Correspondence should be addressed to Caroline Fontaine, [email protected]

Received 30 March 2007; Revised 10 July 2007; Accepted 24 October 2007

Recommended by Stefan Katzenbeisser

Processing encrypted signals requires special properties of the underlying encryption scheme. A possible choice is the use of homomorphic encryption. In this paper, we propose a selection of the most important available solutions, discussing their properties and limitations.

Copyright © 2007 C. Fontaine and F. Galand. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1. INTRODUCTION momorphic encryption; it is particularly aimed at noncryp- tographers, providing guidelines about the main characteris- The goal of encryption is to ensure confidentiality of data tics of encryption primitives: algorithms, performance, secu- in communication and storage processes. Recently, its use rity. Section 3 provides a survey of homomorphic encryption in constrained devices led to consider additional features, schemes published so far, and analyses their characteristics. such as the ability to delegate computations to untrusted Most schemes we describe are based on mathematical no- computers. For this purpose, we would like to give the un- tions the reader may not be familiar with. In the cases these trusted computer only an encrypted version of the data to notions can easily be introduced, we present them briefly. process. The computer will perform the computation on this Thereadermayreferto[15] for more information concern- encrypted data, hence without knowing anything on its real ing those we could not introduce properly, or algorithmic value. Finally, it will send back the result, and we will decrypt problems related to their computation. it. For coherence, the decrypted result has to be equal to the Before going deeper in the subject, let us introduce some intended computed value if performed on the original data. notation. The integer (x) denotes the number of bits con- For this reason, the encryption scheme has to present a par- stituting the binary expansion of x.Asusual,Zn will denote ∗ ticular structure. Rivest et al. proposed in 1978 to solve this the set of integers modulo n,andZn the set of its invertible issue through homomorphic encryption [1]. Unfortunately, elements. Brickell and Yacobi pointed out in [2]somesecurityflaws in the first proposals of Rivest et al. Since this first attempt, 2. TOWARDS HOMOMORPHIC ENCRYPTION a lot of articles have proposed solutions dedicated to numerous application contexts: secret sharing schemes, thresh- 2.1. Basics about encryption old schemes (see, e.g., [3]), zero-knowledge proofs (see, e.g., [4]), oblivious transfer (see, e.g., [5]), commitment schemes In this section, we will recall some important concepts con- (see, e.g., [3]), anonymity, privacy, electronic voting, elec- cerning encryption schemes. For more precise information, tronic auctions, lottery protocols (see, e.g., [6]), protection the reader may refer to [16] or the more recent [17]. of mobile agents (see, e.g., [7]), multiparty computation (see, Encryption schemes are, first and foremost, designed to e.g., [3]), mix-nets (see, e.g., [8, 9]), watermarking or finger- preserve confidentiality. According to Kerckoffs’ principle printing protocols (see, e.g., [10–14]), and so forth. (see [18, 19] for the original papers, or any book on cryp- The goal of this article is to provide nonspecialists with tography), their security must not rely on the obfuscation of a survey of homomorphic encryption techniques. Section 2 their code, but only on the secrecy of the decryption key. We recalls some basic concepts of cryptography and presents ho- can distinguish two kinds of encryption schemes: symmetric 2 EURASIP Journal on Information Security and asymmetric ones. We will present them shortly and dis- the receiver with the secret key needed to recover the data, the cuss their performance and security issues. sender encrypts this key with an asymmetric cipher. Hence, the asymmetric cipher is used to encrypt only a short data, Symmetric encryption schemes while the symmetric one is used for the longer one. The sender and the receiver do not need to share anything be- Here “symmetric” means that encryption and decryption are fore performing the encryption/decryption as the symmet- performed with the same key. Hence, the sender and the re- ric key is transmitted with the help of the public key of the receiver. Proceeding this way, we combine the advantages of ceiver have to agree on the key they will use before perform- ffi ing any secure communication. Therefore, it is not possi- both: e ciency of symmetric schemes and functionalities of ble for two people who never met to use such schemes di- the asymmetric schemes. rectly. This also implies to share a different key with every one we want to communicate with. Nevertheless, symmet- Security issues ric schemes present the advantage of being really fast and are used as often as possible. In this category, we can distinguish Security of encryption schemes was formalized for the first block ciphers (AES [20, 21])1 and stream ciphers (One-time time by Shannon [26]. In his seminal paper, Shannon in- pad presented in Figure 1 [22], Snow 2.0 [23]),2 which are troduced the notion of perfect secrecy/unconditional secu- even faster. rity, which characterizes encryption schemes for which the knowledge of a ciphertext does not give any information ei- ther about the corresponding plaintext or about the key. He Asymmetric encryption schemes proved that the one-time pad is perfectly secure under some conditions, as explained in Figure 1. In fact, no other scheme, In contrast to the previous family, asymmetric schemes in- neither symmetric nor asymmetric, has been proved uncon- troduce a fundamental difference between the abilities to en- ditionally secure. Hence, if we omit the one-time pad, any crypt and to decrypt. The encryption key is public, as the encryption scheme’s security is evaluated with regard to the decryption key remains private. When Bob wants to send an computational power of the opponent. In the case of asym- encrypted message to Alice, he uses her public key to encrypt metric schemes, we can rely on their mathematical structure the message. Alice will then use her private key to decrypt it. to estimate their security level in a formal way. They are based Such schemes are more functional than symmetric ones since on some well-identified mathematical problems which are there is no need for the sender and the receiver to agree on hard to solve in general, but easy to solve for the one who anything before the transaction. Moreover, they often pro- knows the trapdoor, that is, the owner of the keys. Hence, vide more features. These schemes, however, have a big draw- it is easy for the owner of the keys to compute his/her pri- back: they are based on nontrivial mathematical computa- vate key, but no one else should be able to do so, as the tions, and much slower than the symmetric ones. The two knowledge of the public key should not endanger the private most prominent examples, RSA [24] and ElGamal [25], are key. Through reductions, we can compare the security level presented in Figures 2 and 3. of these schemes with the difficulty of solving these mathematical problems (factorizing large integers or computing Performance issues a discrete logarithm in a large group) which are famous for their hardness. Proceeding this way, we obtain an estimate A block cipher like AES is typically 100 times faster than RSA of the security level, which sometimes turns out to be op- ffi encryption and 2000 times than RSA decryption, with about timistic. This estimation may not be su cient for several 60 MB per second on a modest platform. Stream ciphers reasons. First, there may be other ways to break the system are even faster, some of them being able to encrypt/decrypt than solving the reference mathematical problem [27, 28]. 100 MB per second or more.3 Thus, while encryption or de- Second, most of security proofs are performed in an ideal- cryption of the whole content of a DVD will take about a ized model called the random oracle model,inwhichinvolved minute with a fast stream cipher, it is simply not realistic to primitives, for example, hash functions, are considered truly use an asymmetric cipher in practice for such a huge amount random. This model has allowed the study of the security of data as it would require hours, or even days, to encrypt or level for numerous asymmetric ciphers. Recent works show decrypt. that we are now able to perform proofs in a more realistic Hence, in practice, it is usual to encrypt the data we want model called the standard model.From[29]to[30], a lot of to transmit with an efficient symmetric cipher. To provide papers compared these two models, discussing the gap between them. In parallel with this formal estimation of the security level, an empirical one is performed in any case, and 1 AES has been standardized; see http://csrc.nist.gov/groups/ST/toolkit/ new symmetric and asymmetric schemes are evaluated ac- block ciphers.html formoredetails. cording to published attacks. 2 Snow 2.0 is included in the draft of Norm ISO/IEC 18033-4, http://www The framework of a security evaluation has been stated .iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER by Shannon in 1949 [26]: all the considered messages are =3997. 3 See, for example, http://www.ecrypt.eu.org/stream/perf/alpha/bench- encrypted with the same key—so, for the same recipient— marks/snow-2.0 for some benchmark of Snow 2.0, or openssl for AES and and the opponent’s challenge is to take an advantage from all RSA. his observations to disclose the involved secret/private key. C. Fontaine and F. Galand 3

Usually, to evaluate the attack capacity of the opponent, we of information about the plaintext m, namely, the so- distinguish among several contexts [31]: ciphertext-only at- called Jacobi symbol; tacks (where the opponent has access only to some cipher- (iii) when using a deterministic encryption scheme, it is texts), known-plaintext attacks (where the opponent has ac- easy to detect when the same message is sent twice cess to some pairs of corresponding plaintext-ciphertexts), while processed with the same key. chosen-plaintext attacks (same as previous, but the opponent can choose the plaintexts and get the corresponding cipher- So, in practice, we prefer encryption schemes to be prob- texts), and chosen-ciphertext attacks (the opponent has access abilistic. In the case of symmetric schemes, we introduce a to a decryption oracle, behaving as a black-box, that takes random vector in the encryption process (e.g., in the pseudo- a ciphertext and outputs the corresponding plaintext). The random generator for stream ciphers, or in the operating first context is the most frequent in real life, and results from mode for block ciphers), generally called IV. This vector eavesdropping the communication channel; it is the worst may be public, and transmitted as it is, without being en- case for the opponent. The other cases may seem difficult to crypted, but IV must be changed every time we encrypt achieve, and may arise when the opponent has a more pow- a message. In the case of asymmetric ciphers, the security erful position; he may, for example, have stolen some plain- analysis is more mathematical, and we want the randomized texts, or an encryption engine. The “chosen” ones exist in schemes to remain analyzable in the same way as the deter- adaptive versions, where the opponent can wait for a compu- ministic schemes. Some adequate modes have been proposed tation result before choosing the next input. to randomize already published deterministic schemes, as the Optimal Asymmetric Encryption Padding OAEP for RSA (or any scheme based on a trap-door one-way permutation) How do we choose the right scheme? [33].8 Some new schemes, randomized by nature, have also been proposed [25, 34, 35] (see also Figures 3 and 4). The right scheme is the one that fits your constraints in the A simple consequence of this requirement to be proba- best way. By constraints, we may understand constraints in bilistic appears in the so-called expansion: since for a plain- time, memory, security, and so forth. The two first criteria text we require the existence of several possible ciphertexts, are very important in highly constrained architectures, of- the number of ciphertexts is greater than the number of pos- ten encountered in very small devices (PDAs, smart cards, sible plaintexts. This means the ciphertexts cannot be as short RFID tags, etc.). They are also important if we process a huge as the plaintexts, they have to be strictly longer. The ratio amount of data, or numerous data at the same time, for ex- between the length, in bits, of ciphertexts and plaintexts is ample, video streams. Some schemes as AES or RSA are usu- called the expansion. Of course, this parameter is of practical ally chosen because of their reputation, but it is important importance. We will see in the sequel that efficient proba- to note that new schemes are proposed each year. Indeed, it bilistic encryption schemes have been proposed with an ex- is necessary to keep a diversity in the proposals. First, it is pansion less than 2 (e.g., Paillier’s scheme). necessary in order to be able to face new kinds of require- ments. Second, because of security purpose, having all the 2.3. Homomorphic encryption schemes relying on the same structure may lead to a disaster in case an attack breaks this structure. Hence, huge interna- We will present in this section the basic definitions related to tional projects have been funded to ask for new proposals, homomorphic encryption. The state of the art will be given in with a fair evaluation to check their advantages and draw- Section 3. backs, for example, RIPE, NESSIE,4 and NIST’s call for the M 5 6 7 The most common definition is the following. Let design of the AES, CRYPTREC, ECRYPT, and so forth. (resp., C) denote the set of the plaintexts (resp., ciphertexts). An encryption scheme is said to be homomorphic if for any 2.2. Probabilistic encryption given encryption key k the encryption function E satisfies The most well-known cryptosystems are deterministic:for ∀m1, m2 ∈ M, E m1Mm2 ←− E m1 C E m2 (1) a fixed encryption key, a given plaintext will always be encrypted in the same ciphertext. This may lead to some draw- for some operators M in M and C in C,where← means backs.RSAisagoodexampletoillustratethispoint: “can be directly computed from,” that is, without any inter- (i) particular plaintexts may be encrypted in a too much mediate decryption. M C structured way: with RSA, messages 0 and 1 are always If ( , M)and( , C )aregroups,wehaveagroup ho- encryptedas0and1,respectively; momorphism.Wesayaschemeisadditively homomorphic if (ii) it may be easy to compute partial information about we consider addition operators, and multiplicatively homo- the plaintext: with RSA, the ciphertext c leaks one bit morphic if we consider multiplication operators. A lot of such homomorphic schemes have been published that have been widely used in many applications. Note that 4 see http://www.cryptonessie.org. 5 see http://csrc.nist.gov and http://csrc.nist.gov/CryptoToolkit/aes. 6 see http://www.ipa.go.jp/security/enc/CRYPTREC/index-e.html. 8 Note that there are a lot of more recent papers proposing variants or im- 7 see http://www.ecrypt.eu.org. provements of OAEP, but it is not our purpose here. 4 EURASIP Journal on Information Security

Prerequisite: Alice and Bob share a secret random keystream, say a binary one. Goal:AlicecansendanencryptedmessagetoBob,andBobcansendanencryptedmessagetoAlice. Principle: To encrypt a message, Alice (resp., Bob) XORs the plaintext and the keystream. To decrypt the received message, Bob (resp., Alice) applies XOR on the ciphertext and the keystream. Security: This scheme has been showed to be unconditionally secure by Shannon [26] if and only if the keystream is truly random, has the same length as the plaintext, and is used only once. Thus, this scheme is used only for very critical situations for which these constraints may be managed, as the red phone used by the USA and the USSR [32, pp. 715-716]. What we may use more commonly is a similar scheme, where the keystream is generated by a pseudorandom generator, initialized by the secret key shared by Alice and Bob. A lot of such stream ciphers has been proposed, and their security remains only empirical. Snow 2.0 is one of these.

Figure 1: One-time pad—1917(used)/1926 (published [22]). Note that this scheme may be transposed in any group (G,+)otherthan ({0, 1}, XOR), encryption being related to addition of the keystream, while decryption consists in subtracting the keystream.

Prerequisite: Alice computed a (public, private) key: an integer n = pq,wherep and q are well chosen large prime numbers, an integer e such that gcd (e, φ(n)) = 1, and an integer d which is the inverse of e modulo φ(n), that is, ed ≡ 1modφ(n); φ(n) denotes the Euler function, φ(n) = φ(pq) = (p − 1)(q − 1). Alice’s public key is (n, e), and her private key is d; p and q have also to be kept secret, but are no more needed to process the data, they were only useful for Alice to compute d from e. Goal: Anyone can send an encrypted message to Alice. Principle: To send an encrypted version of the message m to Alice, Bob computes c = me mod n. To get back to the plaintext, Alice computes cd mod n which, according to Euler’s theorem, is precisely equal to m. Security: It is clear that if an opponent may factor n and recover p and q,hewillbeabletocomputeφ(n), then d,andwillbeable to decrypt Alice messages. So, the RSA problem (accessing m while given c) is weaker than the factorization problem. It is not known whether the two problems are equivalent or not.

Figure 2: RSA—1978 [24]. in some contexts it may be of great interest to have this prop- provide any useful information on the plaintext to some hy- erty not only for one operator but for two at the same time. pothetical adversary having only a reasonably restricted com- Hence, we are also interested in the design of ring/algebraic putational power. More formally, for any function f and homomorphisms. Such schemes would satisfy a relation of the any plaintext m, and with only polynomial resources (that form is, with algorithms which time/space complexities vary as a polynomial function of the size of the inputs), the probabil- ∀m , m ∈ M, E m +Mm ←− E m +C E m , 1 2 1 2 1 2 (2) ity to guess f (m) (knowing f but not m) does not increase E m ×Mm ←− E m ×C E m . 1 2 1 2 if the adversary knows a ciphertext corresponding to m. This As it will be further discussed, no convincing algebraic ho- might be thought of as a kind of perfect secrecy in the case momorphic encryption scheme has been found yet, and their when we only have polynomial resources. design remains an open problem. Together with this strong requirement, the notion of Less formally, these definitions mean that, for a fixed key polynomial security was defined: the adversary chooses two k, it is equivalent to perform operations on the plaintexts plaintexts, and we choose secretly at random one plaintext before encryption, or on the corresponding ciphertexts after and provide to the adversary a corresponding ciphertext. The encryption. So we require a kind of commutativity between adversary, still with polynomial resources, must guess which encryption and some data processing operations. plaintext we chose. If the best he can do is to achieve a prob- Of course, the schemes we will consider in the following ability 1/2+ε of success, the encryption is said to be polyno- have to be probabilistic ciphers, and we may consider E to mially secure. Polynomial security is now known as the indis- behave in a probabilistic way in the above definitions. tinguishability of encryptions following the terminology and definitions of Goldreich [36]. 2.4. New security considerations Quite amazingly, Goldwasser and Micali proved the equivalence between polynomial security and semantic se- Probabilistic encryption was introduced with a clear pur- curity [34]; Goldreich extended these notions [36] preserv- pose: security. This requires to properly define different se- ing the equivalence. With this equivalence, it is easy to state curity levels. Semantic security wasintroducedin[34], at the that a deterministic asymmetric encryption scheme cannot same time as probabilistic encryption, in order to define what be semantically secure since it cannot be indistinguishable: could be a strong security level, unavailable without proba- the adversary knows the encryption function, and thus can bilistic encryption. Roughly, a probabilistic encryption is se- compute the single ciphertext corresponding to each plain- mantically secure if the knowledge of a ciphertext does not text. C. Fontaine and F. Galand 5

Prerequisite: Alice generated a (public, private) key: she ﬁrst chose a large prime integer p, a generating element g of the cyclic ∗ = − ∈ group Zp , and considered q p 1, the order of the group; building her public key, she picked at random a Zq = a ∗ and computed yA g in Zp , her public key being then (g, q, yA); her private key is a. Goal: Anyone can send an encrypted message to Alice. ∈ = k k Principle:Tosendanencryptedversionofthemessagem to Alice, Bob picks at random k Zq,computes(c1, c2) (g , myA) ∗ a −1 ∗ in Zp . To get back to the plaintext, Alice computes c2(c1) in Zp ,whichispreciselyequaltom. Security: The security of this scheme is related to the Diﬃe-Hellman problem: if we can solve it, then we can break ElGamal encryption. It is not known whether the two problems are equivalent or not. This scheme is IND-CPA.

Figure 3: ElGamal—1985 [25].

But with asymmetric encryption schemes, the adversary broken in subexponential time [45]. Note that this last point knows the whole encryption material E involving both the does not mean that deterministic algebraically homomor- encryption function and the encryption key. Thus, he can phic cryptosystems are insecure, but that one can find the compute any pair (m, E(m)). Naor and Yung [37]andRack- plaintext from a ciphertext in a subexponential time (which off and Simon [38] introduced different abilities, relying on is still too long to be practicable). For example, we know the different contexts we discussed above. From the weak- that the security of RSA encryption depends on factorization est to the strongest, we have the chosen-plaintext, nonadap- algorithms and we know subexponential factorization algo- tive chosen ciphertext and the strongest is the adaptive cho- rithm. Nevertheless, RSA is still considered strong enough. sen ciphertext. This leads to the IND-CPA, IND-CCA1, and IND-CCA2 notions in the literature. IND stands for indistin- 3. HOMOMORPHIC ENCRYPTION: STATE OF THE ART guishability whereas CPA and CCA are acronyms for chosen plaintext attack and chosen-ciphertext attack. Finally, CCA1 First of all, let us recall that both RSA and ElGamal encryp- refers to nonadaptive attacks, and CCA2 to adaptive ones. tion schemes are multiplicatively homomorphic. The prob- Considering the previous remarks on the ability for anyone lem is that the original RSA being deterministic, it cannot to encrypt while using asymmetric schemes, the adversary achieve a security level of IND-CPA (which is the highest has always the chosen-plaintext ability. security level for homomorphic schemes, see Section 2.4). Another security requirement termed nonmalleability Furthermore its probabilistic variants, obtained through has also been introduced to complete the analysis. Given a OAEP/OAEP+, are no more homomorphic. In contrast to ciphertext c = E(m), it should be hard for an opponent to RSA, ElGamal offers the best security level for a homomor- produce a ciphertext c such that the corresponding plain- phic encryption scheme, as it has been shown to be IND- text m , that is not necessary known to the opponent, has CPA. Moreover, it is interesting to notice that an additively some known relation with m. This notion was formalized homomorphic variant of ElGamal has also been proposed ff di erently by Dolev et al. [39, 40], and by Bellare et al. [41], [48]. Comparing it with the original ElGamal, this variant both approaches being proved equivalent by Bellare and Sa- also involves an element G (G may be equal to g) that gen- hai [42]. erates (Z , +) with respect to the addition operation. To send ff q We will not detail the relations between all these di er- an encrypted version of the message m to Alice, Bob picks at ent notions and the interested reader can refer to [41–43]for ∈ = k m k random k Zq and computes (c1, c2) (g , G yA). To get a comprehensive treatment. Basically, the adaptive chosen- a −1 back the plaintext, Alice computes c2(c1) , which is equal to ciphertext indistinguishability IND-CCA2 is the strongest re- Gm; then, she has to compute m in a second step. Note that quirement for an encryption; in particular, it implies non- this last decryption step is hard to achieve and that there is malleability. no other choice for Alice than to use brute force search to get It should be emphasized that a homomorphic encryption back m from Gm. It is also well known that ElGamal’s con- cannot have the nonmalleability property. With the notation = struction works for any family of groups for which the dis- of Section 2.3, knowing c,wecancomputec c C c and de- crete logarithm problem is considered intractable. For exam- duce, by the homomorphic property, that c is a ciphertext of = ple, it may be derived in the setup employing elliptic curves. m m Mm. According to the previous remark on adaptive Hence, ElGamal and its variants are known to be really in- chosen-ciphertext indistinguishability, an homomorphic en- teresting candidates for realistic homomorphic encryption cryption has no access to the strongest security requirement. schemes. The highest security level it can reach is IND-CPA. We will now describe another important family of homo- To conclude this section on security, and for the sake morphic encryption schemes, ranging from the first proba- of completeness, we point out some security considerations bilistic system9 proposed by Goldwasser and Micali in 1982 about deterministic homomorphic encryption. First, it was proved that a deterministic homomorphic encryption for which the operation is a simple addition is insecure [44]. 9 To be more precise, the first published probabilistic public-key encryption Second, Boneh and Lipton showed in 1996 that any de- schemeisduetoMcEliece[49], and the first to add the homomorphic terministic algebraically homomorphic cryptosystem can be property is due to Goldwasser-Micali. 6 EURASIP Journal on Information Security

Prerequisite: Alice computed a (public, private) key: she ﬁrst chose n = pq, p and q being large prime numbers, and g a quadratic nonresidue modulo n whose Jacobi symbol is 1; her public key is composed of n and g, and her private key is the factorization of n. Goal: Anyone can send an encrypted message to Alice. ∈ ∗ = b 2 Principle: To encrypt a bit b, Bob picks at random an integer r Zn ,andcomputesc g r mod n (remark that c is a quadratic residue if and only if b = 0). To get back to the plaintext, Alice determines if c is a quadratic residue or not. To do so, she uses the property that the Jacobi symbol (c/p)isequalto(−1)b. Please, note that the scheme encrypts 1 bit of information, while its output is usually 1024 bits long! Security: This scheme is the ﬁrst one that was proved semantically secure against a passive adversary (under computational assumption).

Figure 4: Goldwasser-Micali—1982 [34, 46].

Prerequisite: Alice computed a (public, private) key: she ﬁrst chose an integer n = pq, p and q being two large prime numbers and = = ∗ ∈ n satisfying gcd (n, φ(n)) 1, and considered the group G Zn2 of order k. She also considered g G of order n.Her public key is composed of n and g, and here private key consists in the factors of n. Goal: Anyone can send a message to Alice. ∈ ∈ ∗ = m n 2 Principle: To encrypt a message m Zn, Bob picks at random an integer r Zn ,andcomputesc g r mod n .Togetbackto λ(n) 2 the plaintext, Alice computes the discrete logarithm of c mod n , obtaining mλ(n) ∈ Zn,whereλ(n)denotesthe − Carmichael function. Now, since gcd (λ(n), n) = 1, Alice easily computes λ(n) 1 mod n and gets m. Security: This scheme is IND-CPA.

Figure 5: Paillier—1999 [47].

[34, 46] (described in Figure 4), to the famous Paillier’s en- Then, encryption selects a random element of Mb to encrypt cryption scheme [47] (described in Figure 5) and its im- b, and decryption allows to know in which part the ran- provements. Paillier’s scheme and its variants are famous for domly selected element lies. The core point lies in the way their efficiency, but also because, as ElGamal, they achieve the to choose the subset, and to partition it into M0 and M1.GM highest security level for homomorphic encryption schemes. uses group theory to achieve the following: the subset is the We will not discuss their mathematical considerations in group G of invertible integers modulo n with a Jacobi sym- detail, but will summarize their important parameters and bol, with respect to n, equal to 1. The partition is generated properties. by another group H ⊂ G, composed of the elements that are (i) We begin with the rather simple scheme of invertible modulo n with a Jacobi symbol, with respect to a Goldwasser-Micali [34, 46]. Besides some historical impor- fixed factor of n, equal to 1; with these settings, it is possible tance, this scheme had an important impact on later pro- to split G into two parts: H and G \ H. posals. Several other schemes, that will be presented below, The generalizations of Goldwasser-Micali play with these were obtained as generalizations of this one. For these rea- two groups; they try to find two groups G and H such that G sons, we provide a detailed description in Figure 4.Here,as can be split into more than k = 2 parts. for RSA, we use computations modulo n = pq,aproduct (ii) Benaloh [50] is a generalization of GM, that enables of two large primes. Encryption is simple, with a product to manage inputs of (k) bits, k being a prime satisfying and a square, whereas decryption is heavier, with an expo- some particular constraints. Encryption is similar as in the nentiation. Nevertheless, this step can be done in O((p)2). previous scheme (encrypting a message m ∈{0, ..., k − 1} ∈ ∗ = m k Unfortunately, this scheme presents a strong drawback since means picking an integer r Zn and computing c g r its input consists of a single bit. First, this implies that en- mod n) but decryption is more complex. The input and out- crypting k bits leads to a cost of O(k·(p)2). This is not very put sizes being, respectively, of (k)and(n) bits, the expan- efficient even if it is considered as practical. The second con- sion is equal to (n)/(k). This is better than in the GM case. sequence concerns the expansion: a single bit of plaintext is Moreover, the encryption cost is not too high.√ Nevertheless, encrypted in an integer modulo n, that is, (n) bits. Thus, the the decryption cost is estimated to be O( k(k)) for pre- expansion is really huge. This is the main drawback of this computation, and the same for each dynamical decryption. scheme. This implies that k has to be taken quite small, which limits Before continuing our review, let us present the the gain obtained on the expansion. Goldwasser-Micali (GM) scheme from another point of view. (iii) Naccache-Stern [51] is an improvement of Benaloh’s This is required to understand how it has been generalized. scheme. Considering a parameter k that can be greater The basic principle of GM is to partition a well-chosen sub- than before, it leads to a smaller expansion. Note that set of integers modulo n into two secret parts: M0 and M1. the constraints on k are slightly different. The encryption C. Fontaine and F. Galand 7 step is precisely the same as in Benaloh’s scheme, but the (vii) Galbraith proposed in [58] an adaptation of the pre- decryption is different. To summarize, the expansion is vious scheme in the context of elliptic curves. Its expansion still equal to (n)/(k), but the decryption cost is lower: is equal to 3. The ratio of the encryption (resp., decryption) O((n)5 log ((n))), and the authors claim it is reasonable to cost of this scheme in the case s = 1 over Paillier’s can be choose the parameters as to get an expansion equal to 4. estimatedtobeabout7(resp.,14).But,incontrasttothe (iv) In order to improve previous schemes, Okamoto and previous scheme, the larger the s is, the more the cost may de- Uchiyama decided to change the base group G [52]. Consid- crease. Moreover, as in the case of Damgard-Jurik’s˚ scheme, ering n = p2q, p and q still being two large primes, and the the higher the s is, the stronger the scheme is. = ∗ = 10 group G Zp2 , they achieve k p. Thus, the expansion (viii) Castagnos explored in [59, 60] another improve- is equal to 3. As Paillier’s scheme is an improvement of this ment direction considering quadratic fields quotients. We one and will be fully described below, we will not discuss its have the same kind of structure regarding ns+1 as before, but description in detail. Its advantage lies in the proof that its se- in another context. To summarize, the expansion is 3 and the curity is equivalent to the factorization of n. Unfortunately, ratio of the encryption/decryption cost of this scheme in the a chosen-ciphertext attack has been proposed leading to this case s = 1overPaillier’scanbeestimatedtobeabout2(plus2 factorization. This scheme was used to design the EPOC sys- computations of Legendre symbols for the decryption step). tems [53], currently submitted for the supplement P1363a to (x) To close the survey of this family of schemes, let us the IEEE Standard Specifications for Public-Key Cryptogra- mention the ElGamal-Paillier amalgam, which merges Pail- phy (IEEE P1363). Note that earlier versions of EPOC were lier and the additively homomorphic variant of ElGamal. subject to security flaws as pointed out in [54], due to a bad More precisely, it is based on Damgard-Jurik’s˚ (presented use of the scheme. above) and Cramer-Shoup’s [55] analyses and variants of (v) One of the most well-known homomorphic encryp- Paillier’s scheme, and was proposed by [9]. The goal was tion schemes is due to Paillier [47], and is described in to gain the advantages of both schemes while minimizing Figure 5. It is an improvement of the previous one, that de- their drawbacks. Preserving the notation of both ElGamal creases the expansion from 3 to 2. Paillier came back to and Paillier schemes, we will describe the encryption in the n = pq,withgcd(n, φ(n)) = 1, but considered the group particular case s = 1, which leads Damgard-Jurik’s˚ variant = ∗ = ∈ G Zn2 , and a proper choice of H led him to k (n). to the original Paillier. To encrypt a message m Zn,Bob k The encryption cost is not too high. Decryption needs one picks at random an integer k,andcomputes(c1, c2) = (g exponentiation modulo 2 to the power ( ), and a mul- m k n 2 n λ n mod n,(1+n) (yA mod n) mod n ). tiplication modulo n. Paillier showed in his paper how to Now that we have reviewed the two most famous fami- manage decryption efficiently through the Chinese Remain- lies of homomorphic encryption schemes, we would like to der Theorem. With smaller expansion and lower cost com- mention a few research directions and challenges. pared with the previous ones, this scheme is really attractive. First, as we mentioned in Section 2.1,itisimportant In 2002, Cramer and Shoup proposed a general approach to to have different kinds of schemes, because of applications gain security against adaptive chosen-ciphertext attacks for and security purposes. One direction to design homomor- certain cryptosystems with some particular algebraic prop- phic schemes that are not directly related to the same math- erties [55]. Applying it to Paillier’s original scheme, they pro- ematical problems as ElGamal or Paillier (and variants) is to posed a stronger variant. Bresson et al. proposed in [56]a consider the recent papers dealing with Weil pairing. As this slightly different version that may be more accurate for some new direction is more and more promising in the design of applications. asymmetric schemes, the investigation in the particular case (vi) Damgard˚ and Jurik proposed in [57] a generalization ∗ of homomorphic ciphers is of interest. ElGamal may not be of Paillier’s scheme to groups of the form Zns+1 with s>0. The directly used in the Weil pairing setup as the mathematical larger the s is, the smaller the expansion is. Moreover, this problem it is based on becomes easy to manage. One more scheme leads to a lot of applications. For example, we can promising direction is the use of the pairing-based scheme mention the adaptation of the size of the plaintexts, the use proposed by Boneh and Franklin [61] to obtain a secure ho- of threshold cryptography, electronic voting, and so forth. To momorphic ID-based scheme (see directions in [62] for the ∈ ∈ ∗ encrypt a message m Zn, one picks r Zn at random and ability of such schemes to provide interesting new features). m ns ∈ computes g r Zns+1 . The authors show that if one can A second interesting research direction lies in the area of = break the scheme for a given value s σ, then one can break symmetric encryption. As all the homomorphic encryption = − it for s σ 1. They also show that the semantic security of schemes we mentioned so far are asymmetric, they are not this scheme is equivalent to that of Paillier. Tosummarize, the as fast as symmetric ones could be. But, homomorphy is eas- ffi expansion is of 1+1/s, and hence can be close to 1 if s is su - ier to manage when mathematical operators are involved in ciently large. The ratio of the encryption cost of this scheme the encryption process, which is not usually the case in sym- over Paillier’s can be estimated to be (1/6)s(s +1)(s +2).The metric schemes. Very few symmetric homomorphic schemes same ratio for the decryption step equals (1/6)(s +1)(s +2). have been proposed, most of them being broken ([63]bro- Note that even if this scheme is better than Paillier’s accord- ken in [64, 65], [66]brokenin[67]). Nevertheless, it may ing to its lower expansion, it remains more costly. Moreover, if we want to encrypt or decrypt k blocks of (n) bits, running Paillier’s scheme k times is less costly than running Damgard-˚ 10 This scheme is mentioned in the conclusion of [59], and more deeply Jurik’s scheme once. presented in [60], unfortunately in French. 8 EURASIP Journal on Information Security be of interest to consider a simple generalization of the one- Notes in Computer Science, pp. 117–126, Springer, New York, time pad, where bits are replaced by integers modulo n,as NY, USA, 1987. introduced by [68]. In terms of security, it has exactly the [3] D. Rappe, Homomorphic cryptosystems and their applications, same properties than the one-time pad, that is, perfect se- Ph.D. thesis, University of Dortmund, Dortmund, Germany, crecy if and only if the keystream is truly random, of same 2004, http://www.rappe.de/doerte/Diss.pdf. length as the plaintext, and is used only once. Here again, this [4] R. Cramer and I. Damgard,˚ “Zero-knowledge for finite field arthmetic, or: can zeroknowledge be for free?” in Advances is overwhelming and the keystream could be generated by a in Cryptology (CRYPTO ’98), vol. 1462 of Lecture Notes in well-chosen pseudorandom generator (e.g., as Snow 2.0), de- Computer Science, pp. 424–441, Springer, New York, NY, USA, creasing security from unconditional to computational. Note 1998. that this scheme’s homomorphy is a little bit fuzzy, as we have [5] H. Lipmaa, “Verifiable homomorphic oblivious transfer and for any pair of encryption keys (k1, k2) private equality test,” in Advances in Cryptology (ASIACRYPT ’03), vol. 2894 of Lecture Notes in Computer Science, pp. 416– ∀ ∈ M ←− m1, m2 , Ek1+k2 m1 + m2 Ek1 m1 + Ek2 m2 . 433, Springer, New York, NY, USA, 2003. (3) [6] P.-A. Fouque, G. Poupard, and J. Stern, “Sharing decryption in the context of voting or lotteries,” in Proceedings of the 4th This is the only example of a symmetric homomorphic en- International Conference on Financial Cryptography, vol. 1962 cryptionthathasnotbeencracked. of Lecture Notes in Computer Science, pp. 90–104, Anguilla, As per algebraic homomorphy, designing algebraically British West Indies, 2000. homomorphic encryption schemes is a real challenge today. [7] T. Sander and C. Tschudin, “Protecting mobile agents against There has been only a few ones proposed: by Fellows and malicious hosts,” in Mobile Agents and Security, vol. 1419 of Koblitz [69] (which cannot be considered as secure nor ef- Lecture Notes in Computer Science, pp. 44–60, Springer, New ficient [70]), by Domingo-Ferrer [63, 66](whichhasbeen York, NY, USA, 1998. broken [64, 65, 67]), and construction studies of Rappe et al. [8] P.Golle, M. Jakobsson, A. Juels, and P.Syverson, “Universal re- [3]. No satisfactory solution has been proposed so far, and, encryption for mixnets,” in Proceedings of the RSA Conference Cryptographers (Track ’04), vol. 2964 of Lecture Notes in Com- as Boneh and Lipton conjectured that any algebraically ho- puter Science, pp. 163–178, San Francisco, Calif, USA, 2004. momorphic encryption would prove to be insecure [45], the [9] I. Damgard˚ and M. Jurik, “A length-flexible threshold cryp- question of their existence and design is still open. tosystem with applications,” in Proceedings of the 8th Aus- tralian Conference on Information Security and Privacy (ACISP 4. CONCLUSION ’03), vol. 2727 of Lecture Notes in Computer Science, Wollon- gong, Australia, 2003. We presented in this paper a state of the art on homomor- [10] A. Adelsbach, S. Katzenbeisser, and A. Sadeghi, “Cryptology phic encryption schemes discussing their parameters, perfor- meets watermarking: detecting watermarks with minimal or mances and security issues. As we saw, these schemes are not zero-knowledge disclosures,” in Proceedings of the European well suited for every use, and their characteristics must be Signal Processing Conference (EUSIPCO ’02), Toulouse,France, taken into account. Nowadays, such schemes are studied in September 2002. wide application contexts, but the research is still challeng- [11] B. Pfitzmann and W. Waidner, “Anonymous fingerprinting,” in Advances in Cryptology (EUROCRYPT ’97), vol. 1233 of ing in the cryptographic community to design more power- Lecture Notes in Computer Science, pp. 88–102, Springer, New ful/secure schemes. Their use in the signal processing com- York, NY, USA, 1997. munity is quite new, and we hope this paper will serve as [12] N. Memon and P. Wong, “A buyer-seller watermarking proto- a guide for understanding their specificities, advantages and col,” IEEE Transactions on Image Processing, vol. 10, no. 4, pp. limits. 643–649, 2001. [13] C.-L. Lei, P.-L. Yu, P.-L. Tsai, and M.-H. Chan, “An efficient ACKNOWLEDGMENTS and anonymous buyer-seller watermarking protocol,” IEEE Transactions on Image Processing, vol. 13, no. 12, pp. 1618– The authors are indebted to the referees for their fruitful 1626, 2004. comments concerning this manuscript, and to Fabien Laguil- [14] M. Kuribayashi and H. Tanaka, “Fingerprinting protocol for laumie and Guilhem Castagnos for discussions about the re- images based on aditive homomorphic property,” IEEE Trans- cent improvements in the field. They also thank all the peo- actions on Image Processing, vol. 14, no. 12, pp. 2129–2139, 2005. ple who took the time to read this manuscript and share their [15] V. Shoup, A Computational Introduction to Number thoughts about it. Dr. C. Fontaine is supported (in part) by Theory and Algebra, Cambridge University Press, 2005, the European Commission through the IST Programme un- http://www.shoup.net/ntb/. der Contract IST-2002-507932 ECRYPT. [16] A. Menezes, P. Van Orschot, and S. Vanstone, Hand- book of applied cryptography, CRC Press, 1997, REFERENCES http://www.cacr.math.uwaterloo.ca/hac/. [17] H. Van Tilborg, Ed., Encyclopedia of Cryptography and Security, [1] R. Rivest, L. Adleman, and M. Dertouzos, “On data banks and Springer, New York, NY, USA, 2005. privacy homomorphisms,” in Foundations of Secure Computa- [18] A. Kerckhoffs, “La cryptographie militaire (part i),” Journal des tion, pp. 169–177, Academic Press, 1978. Sciences Militaires, vol. 9, no. 1, pp. 5–38, 1883. [2] E. Brickell and Y. Yacobi, “On privacy homomorphisms,” in [19] A. Kerckhoffs, “La cryptographie militaire (part ii),” Journal Advances in Cryptology (EUROCRYPT ’87), vol. 304 of Lecture des Sciences Militaires, vol. 9, no. 2, pp. 161–191, 1883. C. Fontaine and F. Galand 9

[20] J. Daemen and V. Rijmen, “The block cipher RIJNDAEL,” in [38] C. Rackoff and D. Simon, “Non-interactive zero-knowledge (CARDIS ’98), vol. 1820 of Lecture Notes in Computer Science, proof of knowledge and chosen ciphertext attack,” in Advances pp. 247–256, Springer, New York, NY, USA, 2000. in Cryptology (CRYPTO ’91), vol. 576 of Lecture Notes in Com- [21] J. Daemen and V. Rijmen, “The design of Rijndael,” in AES— puter Science, pp. 433–444, Springer, New York, NY, USA, the Advanced Encryption Standard, Informtion Security and 1991. Cryptography, Springer, New York, NY, USA, 2002. [39] D. Dolev, C. Dwork, and M. Naor, “Non-malleable cryptogra- [22] G. Vernam, “Cipher printing telegraph systems for secret wire phy,” in Proceedings of the 23rd ACM Annual Symposium on the and radio telegraphic communications,” Journal of the Ameri- Theory of Computing —(STOC ’91), pp. 542–552, 1991. can Institute of Electrical Engineers, vol. 45, pp. 109–115, 1926. [40] D. Dolev, C. Dwork, and M. Naor, “Non-malleable cryptogra- [23] P. Ekdahl and T. Johansson, “A new version of the stream phy,” SIAM Journal of Computing, vol. 30, no. 2, pp. 391–437, cipher SNOW,” in Selected Areas in Cryptography (SAC ’02), 2000. vol. 2595 of Lecture Notes in Computer Science, pp. 47–61, [41] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Re- Springer, New York, NY, USA, 2002. lations among notions of security for public-key encryption [24] R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining schemes,” in Advances in Cryptology (CRYPTO ’98), vol. 1462 digital signatures and public-key cryptosystems,” Communica- of Lecture Notes in Computer Science, pp. 26–45, Springer, New tions of the ACM, vol. 21, no. 2, pp. 120–126, 1978. York, NY, USA, 1998. [25] T. ElGamal, “A prublic key cryptosystem and a signature [42] M. Bellare and A. Sahai, “Non-malleable encryption: equiva- scheme based on discrete logarithms,” in Advances in Cryp- lence between two notions, and an indistinguishability-based tology (CRYPTO ’84), vol. 196 of Lecture Notes in Computer characterization,” in Advances in Cryptology (CRYPTO ’99), Science, pp. 10–18, Springer, New York, NY, USA, 1985. vol. 1666 of Lecture Notes in Computer Science, pp. 519–536, [26] C. Shannon, “Communication theory of secrecy systems,” Bell Springer, New York, NY, USA, 1999. System Technical Journal, vol. 28, pp. 656–715, 1949. [43] Y. Watanabe, J. Shikata, and H. Imai, “Equivalence between [27] M. Ajtai and C. Dwork, “A public key cryptosystem with semantic security and indistinguishability against chosen ci- worst-case/average-case equivalence,” in Proceedings of the phertext attacks,” in Public Key Cryptography (PKC ’03), 29th ACM Symposium on Theory of Computing (STOC ’97), vol. 2567 of Lecture Notes in Computer Science, pp. 71–84, pp. 284–293, 1997. Springer, New York, NY, USA, 2003. [28] P. Nguyen and J. Stern, “Cryptanalysis of the Ajtai-Dwork [44] N. Ahituv, Y. Lapid, and S. Neumann, “Processing encrypted cryptosystem,” in Advances in Cryptology (CRYPTO ’98), data,” Communications of the ACM, vol. 30, no. 9, pp. 777–780, vol. 1462 of Lecture Notes in Computer Science, pp. 223–242, 1987. Springer, New York, NY, USA, 1999. [45] D. Boneh and R. Lipton, “Algorithms for black box fields and [29] R. Canetti, O. Goldreich, and S. Halevi, “The random oracle their application to cryptography,” in Advances in Cryptology model, revisited,” in Proceedings of the 30th ACM Symposium (CRYPTO ’96), vol. 1109 of Lecture Notes in Computer Science, on Theory of Computing (STOC ’98), pp. 209–218, Berkeley, pp. 283–297, Springer, New York, NY, USA, 1996. Calif, USA, 1998. [46] S. Goldwasser and S. Micali, “Probabilistic encryption,” Jour- [30] P.Paillier, “Impossibility proofs for RSA signatures in the stan- nal of Computer and System Sciences, vol. 28, no. 2, pp. 270– dard model,” in Proceedings of the RSA Conference 2007, Cryp- 299, 1984. tographers’ (Track), vol. 4377 of Lecture Notes in Computer Sci- ence, pp. 31–48, San Fancisco, Calif, USA, 2007. [47] P. Paillier, “Public-key cryptosystems based on composite de- [31] W. Diffie and M. Hellman, “New directions in cryptography,” gree residuosity classes,” in Advances in Cryptology (EURO- IEEE Transactions on Information Theory,vol.22,no.6,pp. CRYPT ’99), vol. 1592 of Lecture Notes in Computer Science, 644–654, 1976. pp. 223–238, Springer, New York, NY, USA, 1999. [32] D. Kahn, The Codebreakers: The Story of Secret Writing, [48] R. Cramer, R. Gennaro, and B. Schoenmakers, “A secure and ffi Macmillan, New York, NY, USA, 1967. optimally e cient multiauthority election scheme,” in Ad- [33] M. Bellare and P. Rogaway, “Optimal asymmetric vances in Cryptology (EUROCRYPT ’97), vol. 1233 of Lecture encryption—how to encrypt with RSA,” in Advances in Notes in Computer Science, pp. 103–118, Springer, New York, Cryptology (EUROCRYPT ’94), vol. 950 of Lecture Notes in NY, USA, 1997. Computer Science, pp. 92–111, Springer, New York, NY, USA, [49] R. McEliece, “A public-key cryptosystem based on algebraic 1995. coding theory,” Dsn progress report, Jet Propulsion Labora- [34] S. Goldwasser and S. Micali, “Probabilistic encryption & how tory, 1978. to play mental poker keeping secret all partial information,” in [50] J. Benaloh, Verifiable secret-ballot elections, Ph.D. thesis, Yale Proceedings of the 14th ACM Symposium on the Theory of Com- University, Department of Computer Science, New Haven, puting (STOC ’82), pp. 365–377, New York, NY, USA, 1982. Conn, USA, 1988. [35] M. Blum and S. Goldwasser, “An efficient probabilistic public- [51]D.NaccacheandJ.Stern,“Anewpublic-keycryptosystem key encryption scheme which hides all partial information,” in based on higher residues,” in Proceedings of the 5th ACM Con- Advances in Cryptology (EUROCRYPT ’84), vol. 196 of Lecture ference on Computer and Communications Security, pp. 59–66, Notes in Computer Science, pp. 289–299, Springer, New York, San Francisco, Calif, USA, November 1998. NY, USA, 1985. [52] T. Okamoto and S. Uchiyama, “A new public-key cryptosys- [36] O. Goldreich, “A uniform complexity treatment of encryption tem as secure as factoring,” in Advances in Cryptology (EURO- and zero-knowledge,” Journal of Cryptology,vol.6,no.1,pp. CRYPT ’98), vol. 1403 of Lecture Notes in Computer Science, 21–53, 1993. pp. 308–318, Springer, New York, NY, USA, 1998. [37] M. Naor and M. Yung, “Public-key cryptosystems provably se- [53] T. Okamoto, S. Uchiyama, and E. Fujisaki, “Epoc: efficient cure against chosen ciphertext attacks,” in Proceedings of the probabilistic publickey encryption,” Tech. Rep., 2000, Proposal 22nd ACM Annual Symposium on the Theory of Computing to IEEE P1363a, http://grouper.ieee.org/groups/1363/P1363a/ (STOC ’90), pp. 427–437, Baltimore, Md, USA, 1990. draft.html. 10 EURASIP Journal on Information Security

[54] M. Joye, J.-J. Quisquater, and M. Yung, “On the power of [69] M. Fellows and N. Koblitz, “Combinatorial cryptosystems ga- misbehaving adversaries and security analysis of the original lore!,” in Contemporary Mathematics, vol. 168 of Finite Fields: EPOC,” in Topics in Cryptology CT-RSA 2001, vol. 2020 of Lec- Theory, Applications, and Algorithms, FQ2, pp. 51–61, 1993. ture Notes in Computer Science, Springer, New York, NY, USA, [70] L. Ly, A public-key cryptosystem based on Polly Cracker,Ph.D. 2001. thesis, Ruhr-Universitat¨ Bochum, Bochum, Germany, 2002. [55] R. Cramer and V. Shoup, “Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption,” in Advances in Cryptology (EUROCRYPT ’02), vol. 2332 of Lecture Notes in Computer Science, pp. 45–64, Springer, New York, NY, USA, 2002. [56] E. Bresson, D. Catalano, and D. Pointcheval, “A simple public- key cryptosystem with a double trapdoor decryption mech- anism and its applications,” in Advances in Cryptology (ASI- ACRYPT ’03), vol. 2894 of Lecture Notes in Computer Science, pp. 37–54, Springer, New York, NY, USA, 2003. [57] I. Damgard˚ and M. Jurik, “A generalisation, a simplification and some applications of Pailliers probabilistic public-key system,” in 4th International Workshop on Practice and Theory in Public-Key Cryptography, vol. 1992 of Lecture Notes in Com- puter Science, pp. 119–136, Springer, New York, NY, USA, 2001. [58] S. Galbraith, “Elliptic curve paillier schemes,” Journal of Cryp- tology, vol. 15, no. 2, pp. 129–138, 2002. [59] G. Castagnos, “An efficient probabilistic public-key cryptosystem over quadratic fields quotients,” 2007, Finite Fields and Their Applications, paper version in press, http://www.unilim.fr/pages perso/guilhem.castagnos/. [60] G. Castagnos, Quelques schémas de cryptographie asymétrique probabiliste, Ph.D. thesis, Universite´ de Limoges, 2006, http://www.unilim.fr/pages perso/guilhem.castagnos/. [61] D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” in Advances in Cryptology (CRYPTO ’01), vol. 2139 of Lecture Notes in Computer Science, pp. 213–229, Springer, New York, NY, USA, 2001. [62] D. Boneh, X. Boyen, and E.-J. Goh, “Hierarchical identity based encryption with constant size ciphertext,” in Advances in Cryptology (EUROCRYPT ’05), vol. 3494 of Lecture Notes in Computer Science, pp. 440–456, Springer, New York, NY, USA, 2005. [63] J. Domingo-Ferrer, “A provably secure additive and multi- plicative privacy homomorphism,” in Proceedings of the 5th International Conference on Information Security (ISC ’02), vol. 2433 of Lecture Notes in Computer Science, pp. 471–483, Sao Paulo, Brazil, 2002. [64] D. Wagner, “Cryptanalysis of an algebraic privacy homomorphism,” in Proceedings of the 6th International Conference on Information Security (ISC ’03), vol. 2851 of Lecture Notes in Computer Science, Bristol, UK, 2003. [65] F. Bao, “Cryptanalysis of a provable secure additive and multi- plicative privacy homomorphism,” in International Workshop on Coding and Cryptograhy (WCC ’03), pp. 43–49, Versailles, France, 2003. [66] J. Domingo-Ferrer, “A new privacy homomorphism and applications,” Information Processing Letters,vol.60,no.5,pp. 277–282, 1996. [67] J. Cheon, W.-H. Kim, and H. Nam, “Known-plaintext cryptanalysis of the domingo-ferrer algebraic privacy homomorphism scheme,” Information Processing Letters, vol. 97, no. 3, pp. 118–123, 2006. [68] C. Castelluccia, E. Mykletun, and G. Tsudik, “Efficient ag- gregation of encrypted data in wireless sensor networks,” in ACM/IEEE Mobile and Ubiquitous Systems: Networking and Services (Mobiquitous ’05), pp. 109–117, 2005.