A Survey Report on Partially Homomorphic Encryption Techniques in Cloud Computing

International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 2 Issue 12, December - 2013

A Survey Report On Partially Homomorphic Encryption Techniques In Cloud Computing

1. S. Ramachandram 2. R.Sridevi 3. P. Srivani

1. Professor &Vice Principal, Oucollege Of Engineering,Dept Of Cse,Hyd 2. Associate Professor, Jntuh, Dept Of Cse,Hyd 3. Research Scholar & Asso.Prof., Det Of Cse, Hitam, Hyd

Abstract: Homomorphic encryption is a used to create secure voting systems, form of encryption which allows specific collision-resistant hash functions, private types of computations to be carried out on information retrieval schemes and enable cipher text and obtain an encrypted result widespread use of cloud computing by which decrypted matches the result of ensuring the confidentiality of processed operations performed on the plaintext. As data. cloud computing provides different services, homomorphic encryption techniques can be There are several efficient, partially used to achieve security. In this paper , We homomorphic cryptosystems. Although a presented the partially homomorphic cryptosystem which is unintentionally encryption techniques. homomorphic can be subject to attacks on this basis, if treated carefully, Keywords: Homomorphic, ElGamal, Pailler, homomorphism can also be used to perform RSA, Goldwasser–Micali , Benaloh, computations securely. Section 2 describes Okamoto Uchiyama cryptosystemIJERT, IJERTabout the partially homomorphic encryption Naccache–Stern cryptosystem, RNS. techniques.

2. Partially Homomorphic Encryption Techniques 1. INTRODUCTION RSA Security is a desirable feature in modern system architectures. Homomorphic In cryptography, RSA[1] is an asymmetric encryption would allow the chaining encryption system. If the RSA public key is together of different services without modulus and exponent , then the exposing the data to each of those services. encryption of a message is given by For example a chain of different services . from different companies could 1) calculate the tax 2) the currency exchange rate 3) The homomorphic property is then shipping, on a transaction without exposing the unencrypted data to each of those services. Homomorphic encryption schemes are malleable by design. The homomorphic property of various cryptosystems can be

IJERTV2IS120681 www.ijert.org 3278 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 2 Issue 12, December - 2013

ElGamal Encryption  Bob calculates the shared secret . In cryptography, the ElGamal encryption system[2] is an asymmetric encryption  Bob converts his secret message into algorithm for public key cryptography an element of . which is based on the Diffie Helman  Bob calculates . exchange . It was described by Taher  Bob sends the cipher text ElGamal in 1984. ElGamal encryption is used in the free GNU privacy Guard to Alice. software, recent versions of PGP, and other cryptosystems. The Digital Signature Note that one can easily find if one Algorithm is a variant of ElGamal Signature knows . Therefore, a new is generated Algorithm, which should not be confused for every message to improve security. For with ElGamal encryption. this reason, is also called an ephemeral key. ElGamal encryption can be defined over any cyclic Group . Its security depends upon Decryption the difficulty of a certain problem in related to computing discrete logarithms. The decryption algorithm works as follows: to decrypt a cipher ext with her Key Generation private key ,

The key generator works as follows:  Alice calculates the shared secret

 Alice generates an efficient description of a multiplicative cyclicIJERT IJERT and then computes group of order with generator which she then converts back into . the plaintext message , where  Alice chooses a random from is inverse of In the group . . (E.g. modular multiplicative inverse if is a subgroup of a  Alice computes . multiplication group of integers  Alice publishes , along with the modulo n). description of , as her public key. Alice retains as her private The decryption algorithm produces the key which must be kept secret. intended message, since

Encryption

The encryption algorithm works as follows: Efficiency to encrypt a message to Alice under her public key , ElGamal encryption is probabilistic meaning that a single plain text can be  Bob chooses a random from encrypted to many possible cipher texts, , then calculates with the consequence that a general . ElGamal encryption produces a 2:1

IJERTV2IS120681 www.ijert.org 3279 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 2 Issue 12, December - 2013

expansion in size from plaintext to cipher Goldwasser–Micali text. The Goldwasser–Micali (GM) crypto Encryption under ElGamal requires two system[3] is an asymmetric key encryption exponentiation. However, these algorithm developed by Shaff Goldwasser exponentiations are independent of the and Silvio Micali in 1982. GM has the message and can be computed ahead of time if need be. Decryption only requires one distinction of being the first probabilistic exponentiation. public-key encryption scheme which is provably secure under standard The division by can be avoided by using cryptographic assumptions. However, it is an alternative method for decryption. To not an efficient cryptosystem, as cipher texts decrypt a cipher text with Alice's may be several hundred times larger than the private key , initial plaintext. To prove the security properties of the cryptosystem, Goldwasser  Alice calculates and Micali proposed the widely used . definition of semantic security.

is the inverse of . This is a consequence Because encryption is performed using a of Langranges Theorem, because probabilistic algorithm, a given plaintext may produce very different cipher texts each . time it is encrypted. This has significant advantages, as it prevents an adversary from recognizing intercepted messages by  Alice then computes , comparing them to a dictionary of known which she then converts back into IJERT IJERTcipher texts. the plaintext message . The scheme relies on deciding whether a The decryption algorithm produces the given value x is a square mod N, given the intended message, since factorization (p, q) of N. This can be accomplished using the following . procedure:

In the ElGamal cryptosystem, in a 1. Compute xp = x mod p, xq = x mod q. group , if the public key is , where , and 2. If and is the secret key, then the , then x encryption of a message is is a quadratic residue mod N. , for some random . The Key Generation homomorphic property is then Alice generates two distinct large prime numbers p and q, randomly and

independently of each other.

IJERTV2IS120681 www.ijert.org 3280 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 2 Issue 12, December - 2013

1. Alice computes N = p q. quadratic non-residue x, then the encryption 2. She then finds some non-residue x of a bit b is , for such that the legendra symbols some random . The satisfy and hence homomorphic property is then the Jacobi symbol is +1. The value x can for example be found by selecting random values and testing where denotes addition modulo 2. the two Legendre symbols. If (p, q) = 3 mod 4 (i.e., N is a Blum integer), Benaloh Cryptosystem then the value N − 1 is guaranteed to have the required property. The Benaloh Cryptosystem[4] is an extension of the Goldwasser micali The public key consists of (x, N). The secret cryptosystem(GM) created in 1994 by Josh key is the factorization (p, q). (Cohen) Benaloh. The main improvement of the Benaloh Cryptosystem over GM is that Message encryption longer blocks of data can be encrypted at once, whereas in GM each bit is encrypted Suppose Bob wishes to send a message m to individually. Like many public key Alice: cryptosystem, this scheme works in the 1. Bob first encodes m as a string of group where n is a product of bits (m1, ., mn). two large primes. This scheme is 2. For every bit , Bob generates a homomorphic and hence malleable. random value from the group of units modulo N, or . Key Generation He outputs the valueIJERT IJERT A public/private key pair is generated as . follows:

Bob sends the cipher text (c1, .. , cn).  Choose a block size r.  Choose large primes p and q such Message Decryption that r divides (p-1), gcd(r, (p-1)/r) = 1 and gcd(q-1,r) = 1. Alice receives (c1, ..., cn). She can recover m  Set n = pq using the following procedure:  Choose such that 1. For each i, using the prime . factorization (p, q), Alice determines whether the value ci is a quadratic The public key is then y, n, and the private residue; if so, mi = 0, otherwise mi = key is the two primes p, q. 1. Message encryption Alice outputs the message m = (m1, ..., mn). To encrypt a message m, where m is taken to In the Goldwasser micali cryptosystem , if be an element in the public key is the modulus m and

IJERTV2IS120681 www.ijert.org 3281 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 2 Issue 12, December - 2013

 Choose a random Pailler cryptosystem  Set The Paillier crypto system[5], named after Message decryption and invented by pascal pailler in 1999, is a probabilistic asymmetric algorithm for public key cryptography. The problem of computing n-th residue classes is believed to To understand decryption, we first notice be computationally difficult. The decisional that for any m, u we have composite residuosity assumption is the intractability hypothesis upon which this Since m < r and cryptosystem is based. , we can conclude that The scheme is an additive homomorphic if and cryptosystem; this means that, given only only if m = 0. So if is the public-key and the encryption of an encryption of m, given the secret key p, q and , one can compute the encryption of we can determine whether m=0. If r is small, . we can decrypt z by doing an exhaustive -I search, i.e. decrypting the messages y z for i Key Generation from 1 to r. By pre computing values, using the Baby step Gaint step algorithm, 1. Choose two large prime numbers p decryption can be done in time . and q randomly and independently of each other such that Security . This property is assured if both The security of this scheme rests on the IJERTprimes are of equivalent length, i.e., Higher residuosity problem specifically,IJERT given z, r and n where the factorization of n for security is unknown, it is computationally infeasible parameter . to determine whether z is an r th residue 2. Compute and mod n, i.e. if there exists an x such that . . 3. Select random integer where

In the Benaloh cryptosystem if the public 4. Ensure divides the order of by key is the modulus m and the base g with a checking the existence of the blocksize of c, then the encryption of a following modular multiplicative message x is , for inverse some random . The , where function is defined homomorphic property is then

as . Note that the notation a/b does not denote the modular multiplication of times the modular multiplicative inverse of but rather the quotient of

IJERTV2IS120681 www.ijert.org 3282 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 2 Issue 12, December - 2013

divided by , i.e., the largest integer value to satisfy the relation . The product of a cipher text with a plaintext raising g will decrypt to the  The public (encryption) key is sum of the corresponding plaintexts, .  The private (decryption) key is

 Homomorphic multiplication of If using p, q of equivalent length, a simpler plaintexts variant of the above key generation steps would be to set An encrypted plaintext raised to the and , where power of another plaintext will decrypt to the product of the two . plaintexts, Encryption

1. Let be a message to be encrypted where More generally, an encrypted 2. Select random where 3. Compute cipher text as: plaintext raised to a constant k will decrypt to the product of the

plaintext and the constant, Decryption IJERTIJERT

1. Cipher text However, given the Paillier encryptions of 2. Compute message: two messages there is no known way to compute an encryption of the product of these messages without knowing the private Homomorphic properties key.

A notable feature of the Paillier Okamoto–Uchiyama cryptosystem cryptosystem is its homomorphic properties. As the encryption function is additively The Okamoto–Uchiyama crypto system[6] homomorphic, the following identities can was discovered in 1998 by T. Okamoto and be described: S. Uchiyama. The system works in the group , where n is of the form p2q  Homomorphic addition of plaintexts and p and q are large primes.

The product of two cipher texts will decrypt to the sum of their

corresponding plaintexts,

IJERTV2IS120681 www.ijert.org 3283 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 2 Issue 12, December - 2013

Key Generation The map L should be thought of as a logarithm from the cyclic group H to the A public/private key pair is generated as additive group , and it is easy to check follows: that L(ab) = L(a) + L(b), and that the L is an isomorphism between these two groups. As  Generate large primes p and q and is the case with the usual logarithm, set . L(x)/L(g) is, in a sense, the logarithm of x with base g.  Choose such that . We have  Let h = gn mod n.

The public key is then (n, g, h) and the private key is the factors (p, q). So to recover m we just need to take the logarithm with base gp−1, which is Message Encryption accomplished by To encrypt a message m, where m is taken to be an element in

 Select at random. Set Naccache–Stern cryptosystem.

The Naccache–Stern crypto system[7] is a Message Decryption homomorphic public key encryption whose security rests on the higher residuosity IJERTIJERTproblem. The Naccache–Stern cryptosystem If we define , then decryption was discovered by David Naccache and becomes Jacques Stern in 1998. Like many public key cryptosystem, this scheme works in the group where n is a product of two large primes.. This scheme is homomorphic

and hence malleable. How the system works Key Generation The group  Pick a family of k small distinct primes p ,...,p . The group has a unique subgroup of 1 k  Divide the set in half and set order p, call it H. By the uniqueness of H, we must have . .  Set  Choose large primes a and b such For any element x in , we have that both p = 2au+1 and q=2bv+1 are xp−1 mod p2 is in H, since p divides xp−1 − 1. prime.  Set n=pq.

IJERTV2IS120681 www.ijert.org 3284 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 2 Issue 12, December - 2013

 Choose a random g mod n such that Once mi is known for each i, m can g has order φ(n)/4. be recovered by a direct application of the Chinese remainder theorem. The public key is the numbers σ, n, g and the private key is the pair p, q. Damg ard–Jurik cryptosystem

When k=1 this is essentially the Benaloh The Damg ard–Jurik crypto system[8] is a cryptosystem. generalization of the Pailler cryptosystem.. It uses computations modulo where Message encryption is an RSA modulus and a (positive) natural number. Paillier's scheme is the This system allows encryption of a message special case with . The order m in the group . of can be divided by . Moreover can be written as the direct  Pick a random . product of . is cyclic and of order  Calculate , while is isomorphic to . For encryption, the message is transformed into Then E(m) is an encryption of the message the corresponding coset of the factor Group m. and the security of the scheme relies on the difficulty of distinguishing random Message decryption elements in different cosets of . It is semantically secure if it is hard to decide if To decrypt, we first find m mod pi for each i, two given elements are in the same coset. and then we apply the Chinese remainder Like Paillier, the security of Damgård–Jurik theorem to calculate m mod . can be proven under the decisional IJERTIJERTcomposite residuosity assumption. Given a cipher text c, to decrypt, we calculate Key generation

. Thus 1. Choose two large prime numbers p and q randomly and independently of each other. 2. Compute and . 3. Choose an element such that where . for a known relative prime to and . Since pi is chosen to be small, mi can be recovered be exhaustive search, 4. Using the chinese remainder theorem , choose such that i.e. by comparing to for and j from 1 to pi-1. . For instance could be as in Paillier's original scheme.

IJERTV2IS120681 www.ijert.org 3285 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 2 Issue 12, December - 2013

 The public (encryption) key is with .  The private (decryption) key is . xi = X modulo mi Decryption Encryption

Let be a message to be encrypted Chinese Remainder theorem can be used to where . decrypt the number represented in Residue Number System. The Chinese Remainder 1. Select random where . Theorem is the theorem that enables the 2. Compute cipher text as: conversion of residues back into more . traditional form such as Decimal form. With this theorem, for residues {r1, r2, ..., rn} of a Decryption number x, can be converted back into x, provided the greatest common divisor of any 1. Cipher text pair of moduli is 1. The theorem can be 2. Compute . If c is a expressed as: valid cipher text then

3. Apply a recursive version of the pailler decryption mechanism to obtain . As is known, it is

possible to compute Where, ri is the residue, Ai is , where M . is the product of moduli and Ti is the IJERTIJERTmultiplicative inverse over the ring modulo Residue Number System , popularly written as . RNS is homomorphic encryption[9] technique which can be used to achieve 4. Conclusion security. A residue number system is defined by a set of N integer constants, This paper presents a partially homomorphic encryption techniques used in {m1, m2, m3, ... , mN }, cloud computing to achieve security.

referred to as the moduli. Let M be the least 5. References common multiple of all the mi. 1. http://en.wikipedia.org/wiki/RSA Encryption 2.http://en.wikipedia.org/wiki/ElGamal_encr Any arbitrary integer X smaller than M can be represented in the defined residue number yption system as a set of N smaller integers 3.http://en.wikipedia.org/wiki/Goldwasser% {x1, x2, x3, ... , xN} E2%80%93Micali_cryptosystem

IJERTV2IS120681 www.ijert.org 3286 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 2 Issue 12, December - 2013

4.http://en.wikipedia.org/wiki/Benaloh_cryp tosystem

5.http://en.wikipedia.org/wiki/Paillier_crypt osystem

6.http://en.wikipedia.org/wiki/Okamoto%E2 %80%93Uchiyama_cryptosystem

7.http://en.wikipedia.org/wiki/Naccache%E 2%80%93Stern_cryptosystem

8.http://en.wikipedia.org/wiki/Damg%C3% A5rd%E2%80%93Jurik_cryptosystem

9.http://icsd.i2r.a- star.edu.sg/staff/sethome/pdf/004.pdf

IJERTIJERT

IJERTV2IS120681 www.ijert.org 3287