sign in sign up
<<
Home , Arithmetic function

This is a repository copy of Practical homomorphic encryption over the integers for secure computation in the cloud.

White Rose Research Online URL for this paper: http://eprints.whiterose.ac.uk/143389/

Version: Accepted Version

Article: Dyer, J, Dyer, M and Xu, J orcid.org/0000-0002-4598-167X (2019) Practical homomorphic encryption over the integers for secure computation in the cloud. International Journal of Information Security, 18 (5). pp. 549-579. ISSN 1615-5262 https://doi.org/10.1007/s10207-019-00427-0

© Springer-Verlag GmbH Germany, part of Springer Nature 2019. This is an author produced version of a paper published in International Journal of Information Security. Uploaded in accordance with the publisher's self-archiving policy.

Reuse Items deposited in White Rose Research Online are protected by copyright, with all rights reserved unless indicated otherwise. They may be downloaded and/or printed for private study, or other acts as permitted by national copyright laws. The publisher or other rights holders may allow further reproduction and re-use of the full text version. This is indicated by the licence information on the White Rose Research Online record for the item.

Takedown If you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing [email protected] including the URL of the record and the reason for the withdrawal request.

[email protected] https://eprints.whiterose.ac.uk/ Noname manuscript No. (will be inserted by the editor)

Practical Homomorphic Encryption Over the Integers for Secure Computation in the Cloud

James Dyer · Martin Dyer · Jie Xu

the date of receipt and acceptance should be inserted later

Abstract We present novel homomorphic encryption 1 Introduction schemes for integer arithmetic, intended primarily for use in secure single-party computation in the cloud. With services like Amazon’s Elastic MapReduce [4] and These schemes are capable of securely computing arbit- Microsoft’s HDInsight [59] offering large-scale distrib- rary degree polynomials homomorphically. In practice, uted cloud computing environments, computation in ciphertext size and running times limit the polynomial the cloud is becoming increasingly more available. Such degree, but this appears sufficient for most practical services allow for computation on large volumes of data applications. We present four schemes, with increasing to be performed without the large investment in local levels of security, but increasing computational over- computing resources. However, where the data that is head. Two of the schemes provide strong security for processed is sensitive, such as financial or medical data, high-entropy data. The remaining two schemes provide then uploading such data in its raw form to such a third- strong security regardless of this assumption. These party service becomes problematic. four algorithms form the first two levels of a hierarchy of schemes and we also present the general cases of To take advantage of these cloud services, we require each scheme. We further elaborate how a fully homo- a means to process the data securely on such a plat- morphic system can be constructed from one of our gen- form. We designate such a computation, secure com- eral cases. In addition, we present a variant based upon putation in the cloud (SCC). SCC should not expose Chinese Remainder Theorem (CRT) secret sharing. We input or output data to any other party, including the detail extensive evaluation of the first four algorithms cloud service provider. Furthermore, the details of the of our hierarchy by computing low-degree polynomi- computation should not allow any other party to de- als. The timings of these computations are extremely duce its inputs and outputs. Cryptography seems the favourable by comparison with even the best of exist- natural approach to this problem. ing methods, and dramatically out-perform many well- publicised schemes. The results clearly demonstrate the However, it should be noted that van Dijk and Juels practical applicability of our schemes. [36] show that cryptography alone cannot realise secure multi-party computation in the cloud, where the parties jointly compute a over their inputs while keep- ing their own inputs private. Since our approach is via homomorphic encryption, we will restrict our attention to what we will call secure single-party computation in the cloud (SSCC). A preliminary version of this paper [39] was presented at IMACC 2017. Homomorphic encryption (HE) appears to offer a J. Dyer solution to the SSCC problem. First defined by Rivest De Montfort University, UK et al. [70] in 1978, HE allows a function to be computed M. Dyer · J. Xu on encrypted inputs without ever decrypting the inputs. School of Computing, University of Leeds, UK. Suppose we wish to compute the function f on inputs 2 James Dyer et al. x1,x2,...,xn, then, under HE, We have performed extensive experimental evalu- ation of the four schemes presented in this paper. We ′ ′ ′ ′ Dec(f (x1,x2,...,xn)) = f(x1,x2,...,xn), report on this in section 8. Our results are extremely fa- ′ ′ ′ vourable when compared with other methods. In some where x ,...,x are the encryptions of x1,...,x , f 1 n n cases, our algorithms outperform the running times of is the equivalent of f in the ciphertext space, and Dec directly comparable schemes by a factor of up to 1000, is the decryption function. HE clearly satisfies some of and considerably more than that for fully homomorphic the requirements for secure computation in the cloud. schemes, used in the same context. Finally, in section A somewhat HE scheme (SWHE) is a scheme which 9, we conclude the paper. is homomorphic for only limited inputs and functions. Fully HE (FHE) is a scheme that is homomorphic for all functions and inputs. This was first realised by Gentry 2 Background in 2009 [44], and appeared to be the ideal HE scheme. However, despite the clear advantages of FHE, and 2.1 Scenario many significant advances [20,18], it remains largely im- practical. Two implementations of recent FHE schemes, As introduced above, our work concerns secure single- HELib [49] and FHEW [37], both perform very poorly party computation in the cloud. In our scenario, a se- in practice, both in their running time and space re- cure client wishes to compute a function on a large quirements (see section 2.6). volume of data. This function could be searching or In this paper, we present four novel SWHE schemes sorting the data, computing an arithmetic function of for encryption of integers that are additively and multi- numeric data, or any other operation. We consider here plicatively homomorphic. These schemes are capable of the case where the client wishes to perform arithmetic computing arbitrary degree polynomials. In section 2, computations on numeric data. This data might be the we present our usage scenario, a summary of our results, numeric fields within a record, with non-numeric fields and a discussion of related work. We present our initial being treated differently. homomorphic scheme in section 3, in two variants, HE1 The client delegates the computation to the cloud. and HE1N. HE1 (section 3.1) provides strong security However, while the data is in the cloud, it could be for integers distributed with sufficient entropy. This se- subject to snooping, including by the cloud provider. curity derives from the assumed hardness of the par- The client does not wish to expose the input data, or tial approximate common problem (PACDP). the output of the computation, to possible snooping HE1N (section 3.2) guarantees strong security for in- in the cloud. A snooper here will be a party who may tegers not distributed with sufficient entropy or where observe the data and the computation in the cloud, but the distribution is not known, by adding an additional cannot, or does not, change the data or insert spurious “noise” term. In addition to the hardness assumption, data. (In our setting data modification would amount we prove that HE1N is IND-CPA secure [6]. Section 4 to pointless vandalism.) The snooping may be casual, describes a further two variants, HE2 and HE2N, which displaying an uninvited interest, or malicious, intending increase the entropy of the plaintext by adding a di- to use data for the attacker’s own purposes. mension to the ciphertexts, which are 2-vectors. This To obtain the required data privacy, the client’s further increases the security of these schemes by ef- function will be computed homomorphically on an en- fectively doubling the entropy. HE2 (section 4.1) deals cryption of the data. The client encrypts the source with integers of sufficient entropy, HE2N (section 4.2) data using a secret key and uploads the encryption to with integers without the required entropy or of un- the cloud, with a homomorphic equivalent of the tar- known distribution. HE2N also satisfies IND-CPA. We get computation. The cloud environment performs the describe this in some detail, since it appears to be prac- homomorphic computation on the encrypted data. The tically useful, and is the simplest version of our general result of the homomorphic computation is returned to scheme. In section 5, we generalise HE2 and HE2N from the client, who decrypts it using the secret key, and 2-vectors to k-vectors, for arbitrary k, in the scheme obtains the output of the computation. HEk, with noisy variant HEkN. These schemes may also In this scenario, the source data is never exposed in be practical for small enough k. In section 6, we detail a the cloud, but encryptions of it are. A snooper may ob- variant of our HE2N scheme that employs Chinese Re- serve the computation of the equivalent homomorphic mainder Theorem secret sharing to allow one to process function in the cloud environment. As a result, they the computation by dividing into subcomputations on may be able to deduce what operations are performed, smaller moduli. In section 7, we show how to construct even though they do not know the inputs. A snooper a fully homomorphic system from our HEk scheme. may also be able to inspect the (encrypted) working Practical Homomorphic Encryption Over the Integers for SecureComputationintheCloud 3

M−1 data generated by the cloud computation, and even per- Shannon: H1(X) = i=0 ξi lg ξi, − M−1 2 form side computations of their own. However, snoop- Collision: H2(X) = Plg ξ , − i=0 i ers have no access to the secret key, so cannot make M−1  Min: H∞(X) = lg maxPi=0 ξi . encryptions of their own. − It is known that H1(X) H2(X ) H∞(X), with ≥ ≥ equality if and only if X has the uniform distribution on 2.2 Definitions and Notation [0,M), in which case all three are lg M. We will denote H∞(X) by ρ, so it also follows that H1(X),H2(X) ρ. ≥ We use the term “entropy” without qualification to x $ S denotes a value x chosen uniformly at random ← mean min entropy, H∞(X). Note that H∞(X) = ρ from the discrete set S. ≥ lg M implies ξ 2−ρ, i [0,M), and that M 2ρ. x p S denotes a prime x chosen uniformly i ← ≤ ∈ ≥ at random from the discrete set S. We wish to compute a multivariate polynomial P of KGen : denotes the key generation function degree d on these inputs. A secure client A selects an S→K · operating on the security parameter space and whose instance Enc(K, ) of the encryption algorithm Enc us- S range is the secret key space . ing the secret parameter set K. A encrypts the n inputs K Enc : denotes the symmetric encryption by computing ci = Enc(K, mi), for i [1,n]. A uploads M×K→C ′ ∈ function operating on the plaintext space and the c1,c2,...,cn and P to the cloud computing environ- M ′ secret key space , whose range is the ciphertext space ment, where P is the homomorphic equivalent of P in K . the ciphertext space. The cloud environment computes C ′ ′ Dec : denotes the symmetric decryption P (c1,c2,...,cn). A retrieves P (c1,c2,...,cn) from the C×K→M function operating on the ciphertext space and the cloud, and computes C secret key space , whose range is the plaintext space K P (m , m , . . . , m )= Dec(K,P ′(c ,c ,...,c )). . 1 2 n 1 2 n M Add : denotes the homomorphic addition C×C→C 2 A snooper is only able to inspect c1,c2,...,cn, the function whose domain is and whose range is . ′ ′ C C function P , and the computation of P (c1,c2,...,cn), Mult : denotes the homomorphic multi- C×C→C 2 including subcomputations and working data, and per- plication function whose domain is and whose range 1 C form side-computations on these. Thus the snooper is is . C passive or honest-but-curious [45]. m, m1, m2, ... denote plaintext values, and c, c1, c2, ... denote ciphertext values. +1 ∗ k ∗ T ∗ If k = 2 , v⋆ = [v1 v2 ... vk ] denotes a k - 2.4 Observations from Scenario T vector which augments the k-vector v =[v1 v2 ... vk] by appending elements vi = fi(v1,...,vk) (i [k + First, we can observe that symmetric key encryption ∗ ∈ 1,k ]), for a linear function fi. (All vectors are column is sufficient for the model. Public key encryption is not vectors throughout.) necessary because there is no key escrow or distribution ei denotes the ith unit vector (i = 1, 2,...), with problem. Additionally, even though the public paramet- size determined by the context. ers of our symmetric schemes are exposed to the cloud, [x,y] denotes the integers between x and y inclusive, they do not provide an encryption oracle. and [x,y) denotes [x,y] y . \{ } Note that the n inputs do not necessarily need to log denotes loge and lg denotes log2. be uploaded at once, but n is an upper bound on the If λ is a security parameter, “with high probability” total number of inputs. For example, if the polynomial will mean with probability 1 2−ǫλ, for some constant − is separable we might compute it in separate stages, ǫ> 0. and this might be useful in more dynamic situations. Polynomial time or space will mean polynomial in This model is clearly susceptible to certain attacks. the security parameter λ. We consider ciphertext only, brute force, and cryptana- lytic attacks. To avoid cryptanalytic attacks, we must choose the parameters of the system carefully. Here, a 2.3 Formal Model of Scenario brute force attack will mean guessing the plaintext asso- ciated with a ciphertext. In our encryption schemes, it We have n integer inputs m1, m2, . . . , m distributed in n will be true that a guess can be verified. Since ξ 2−ρ [0,M) according to a probability distribution . If X is i ≤ D for i [0,M), the expected number µ of guesses before a random integer sampled from , let Pr[X = i] = ξi, ∈ D for i [0,M). We will consider three measures of the 1 ∈ However, note that our “N” schemes below provide secur- entropy of X, measured in bits: ity against more malicious snooping. 4 James Dyer et al. making a correct guess satisfies µ 2ρ. Massey [58] 2.5 Our Results ≥ gave a corresponding result in terms of the Shannon entropy H1(X). We describe new practical HE schemes for the encryp- Similarly, probability of any correct guess in 2ρ/2 tion of integers, to be employed in a SSCC system guesses is at most 2−ρ/2. This bound holds if we need inspired by the HE scheme CryptDB [65]. CryptDB only guess one of n inputs, m1, m2, . . . , mn, even if encrypts integers using the Paillier cryptosystem [63] 2 these inputs are not independent. Therefore, if ρ is large which is additively homomorphic . Similar systems [76, enough, a brute force attack is infeasible. An example 77] use ElGamal [40] to support multiplications. The of high entropy data is salaries for a large national or “unpadded” versions of these schemes must be used. multinational business. Low entropy data might include These are not secure under CPA [47], reducing the ad- enumerated types, such as gender. vantage of a public-key system. These schemes do not In our model, known plaintext attack (KPA) is pos- support both addition and multiplication. Computing sible only by brute force, and not through being given the inner product function requires re-encrypting the a sample of plaintext, ciphertext pairs. Chosen plain- data once the multiplications have been done, so that text attack (CPA) or chosen ciphertext attack (CCA) the additions can be performed. In a SSCC system, do not appear relevant to our model. Since Enc(K, ·) is this requires shipping the data back to the initiator for never exposed in the cloud, there is no realistic analogue re-encryption, a significant communication overhead. of an encryption or decryption oracle, as required by We aim to support both addition and multiplication these attacks. In public key encryption, an encryption without this overhead. It should also be noted that a algorithm is available as part of the system, so CPA hybrid scheme of Paillier and ElGamal, for a given mod- should be forestalled, though failure to satisfy IND- ulus, will be limited in the degree of polynomials that CPA [7] does not imply that we can break the system. can be computed. Should a product or sum exceed the Following [6], it is common in studying symmetric modulus then the result cannot be successfully decryp- key encryption to suppose that, in most practical set- ted. tings, defence against CPA or CCA is necessary. While Our scheme is inspired by the SWHE scheme of van IND-CPA and IND-CCA are clearly desirable proper- Dijk et al. that is used as the basis for a public-key ties for a cryptosystem, their necessity, in the symmet- system. As in their system, we add multiples of integers ric key context, seems hard to justify. Both [9] and [14] to the plaintext to produce a ciphertext. However, [35] provide examples intended to support this convention. supports only arithmetic mod 2. We generalise their However, these examples are unconvincing. Neverthe- scheme to larger moduli. less, we show that the “N” variants of our HE schemes We showed above that the input data must have below do satisfy IND-CPA. sufficient entropy to negate brute force attacks. If the data lacks sufficient entropy, we will introduce more in We note that observation of the function P ′, which two ways. The first adds random “noise” of sufficient closely resembles P , might leak some information about entropy to the ciphertext, to “mask” the plaintext. This its inputs. However, we assume that this information is approach is employed in [35]. In our “N” variants be- far too weak to threaten the security of the system, as low, we add a random multiple (from 0 to κ) of a large is common in the HE literature. However, if the threat integer, κ, to the ciphertext, such that m < κ, for all is significant, “garbled circuits” [45] are a possible solu- i i [1,N]. If the entropy of the original data was ρ, it tion. ∈ becomes ρ + lg κ. Therefore, if κ is large enough, our Finally, we note that our model of SSCC is very data has sufficient entropy. But there is a downside. If similar to the model of private single-client comput- the noise term grows too large, the ciphertext cannot ing, described in [36]. Furthermore, they describe an be decrypted successfully. So we are restricted to com- example practical application, a privacy preserving tax puting polynomials of bounded degree, but this does return preparation program, which computes the relev- not appear to be a practical problem. ant statistics on government servers without revealing The other technique will be to increase the dimen- the client’s inputs. Another example, cited in [57], is sion of the ciphertext. We represent the ciphertext as a device which collects health data which is streamed a k-vector, where each element is a linear function of to the cloud. Statistics are computed on the data and the plaintext. Addition and multiplication of cipher- reported back to the device. To protect the patient’s texts use linear algebra. The basic case k = 1 is de- privacy this data is encrypted by the device and the scribed in section 3.1. Then we can increase the en- computations are performed homomorphically. Erkin et al. [41] employ a similar scenario in the description of 2 Paillier supports computation of linear functions with their privacy-preserving face recognition algorithm. known coefficients homomorphically by repeated addition Practical Homomorphic Encryption Over the Integers for SecureComputationintheCloud 5 tropy by creating a k-vector ciphertext. Then we must a subset S of xi from the public key are chosen and the guess k plaintexts to break the system. Assuming that ciphertext is now calculated as c = m + 2r + 2 i∈S xi the inputs m1, m2, . . . , mn are chosen independently mod x0. The ciphertext is decrypted as previouslyP de- from , and the entropy is ρ, the entropy of a k-tuple scribed. We could extend our HEkN schemes here to a D (m1, m2, . . . , mk) is kρ. Thus the k-vectors effectively public key variant, using a similar device. However, we have entropy kρ. If k is chosen large enough, we have do not do so, since public key systems appear to have sufficient entropy to prevent brute force attack. The as- very little application in our model. sumption of independence among m1, m2, . . . , mn can van Dijk et al. bootstrap their public key system be relaxed, to allow some correlation, but we will not using Gentry’s method [44] to a fully homomorphic discuss the details. On the upside, some cryptanalytic scheme. In this case, the bootstrapping is done by ho- attacks for k = 1 do not seem to generalise even to momorphically making a suitable simulation of division k = 2. The downside is that ciphertexts are k times by p, thus obtaining an encryption of c mod p which larger, and each homomorphic multiplication requires can be used to continue the computation. Our FHE Ω(k3) time and space. For very large k, this probably proposal is based on entirely different principles. renders the methods impractical. Therefore, we con- Coron et al. [25,30,31,32] have produced several re- sider the case k = 2 in section 4. The general case is finements of the scheme in [35]. In [31], the authors considered in section 5. reduce the size of the public key by using a similar but Our work here supports computing arbitrary degree alternative encryption scheme. In this scheme, p is a multivariate polynomials on integer data. However, we prime in the specified interval, x0 is an exact multiple expect that for many practical applications, computing of p and the sum term in the ciphertext is quadratic low-degree polynomials will suffice. See [57] for a discus- rather than linear. In [32], they apply the Brakerski sion regarding this. In this paper, we present four vari- et al. [18] modulus switching technique to their sys- ants of our scheme. Two provide strong security under tem from [31]. In [25], the authors apply the Smart and the assumption that the input data has high entropy. Vercauteren optimisations [74] to their scheme. Finally, The other two provide strong security regardless of this in [30], they apply Brakerski’s scale-invariant technique assumption. Section 5 generalises these four schemes to [17] to their system. Pisa et al. [64] generalise van Dijk dimension k ciphertexts. et al.’s scheme from base 2 to base B integers. This scheme is similar to our HE1 scheme. However, our HE1 is a generalisation of van Dijk et al.’s SHE scheme to 2.6 Related Work an arbitrary prime base, rather than a generalisation of the public key scheme. Ramaiah and Kumari [67] A comprehensive survey of partial, somewhat, and fully produce a variant of van Dijk et al.’s scheme with sig- HE schemes is presented in [1]. In this section, we dis- nificantly smaller key sizes. Chen et al. [23] propose a cuss those most related to our own work. Some related more efficient re-encryption scheme that enhances van work ([65,76,77]) has already been discussed in section Dijk et al.’s scheme. Aggarwal et al. [2] devise a variant 2.5. without bootstrapping. Nuida and Kurosawa [62] pro- Our scheme is inspired by that of van Dijk et al. duce a scheme for non binary messages. Most recently, [35]. In their paper they produce a fully homomorphic Wang et al. [83] have produce a variant similar to Coron scheme over the integers where a simple “somewhat” et al.’s original scheme, which reduces the public key homomorphic encryption scheme is “bootstrapped” to a size by making the sum term cubic. fully homomorphic scheme. van Dijk et al. take a simple Several implementations of SHE and FHE schemes symmetric scheme where an integer plaintext m is en- have been produced. Lauter et al. [57] implement the crypted as c = m + 2r + pq, where p, the secret key, SHE scheme from [20]. However, they give results only is an odd η-bit integer from the interval [2η−1, 2η), and for degree two polynomials. Our schemes are capable r and q are integers chosen randomly from an interval of computing degree three and four polynomials for such that 2r < p/2. The ciphertext c is decrypted by practical key and ciphertext sizes. HELib [49] is an the calculation (c mod p) mod 2. Our scheme HE1N be- implementation of the BGV [18] FHE scheme. HELib- low (section 3.2) may be regarded as a generalisation MP [69] is an adaptation of HELib to support multi- of theirs to arbitrary prime moduli. precision moduli. At the current time, it only supports van Dijk et al. transform their symmetric scheme basic SHE features. The HEAT (Homomorphic Encryp- into a public key scheme. A public key x0,x1,...,x h τ i tion Applications and Technology) project’s HE-API is constructed where each x is a near multiple of p i [80] (Homomorphic Encryption Application Program- of the form pq + r′ where q and r′ are random integers ming Interface) has currently integrated HELib and chosen from a prescribed interval. To encrypt a message 6 James Dyer et al.

FV-NFLib [33], an implementation of the Fan and Ver- 3 Initial Homomorphic Scheme cauteren (FV) [42] SHE scheme, under a single API. The authors appear to have made significant improve- In this section we present details of our initial SWHE ments in circuit evaluation times, but few details have schemes over the integers. been made available [15]. Microsoft’s SEAL library [56] also implements the FV scheme, albeit, in a modified form. FHEW [38] implements the FHE scheme given in [37]. The performance of these implementations is 3.1 Sufficient Entropy (HE1) discussed in section 8. We have n integer inputs m1, m2, . . . , m [0,M). Erkin et al. [41] exploit the linearly-homomorphic n ∈ Negative integers can be handled as in van Dijk et properties of Paillier to compute feature vector matches al. [35], by taking residues in [ (p 1)/2, (p 1)/2), in their privacy-preserving face recognition algorithm. − − − rather than [0,p). We wish to compute a polynomial Our schemes can likewise compute known linear func- P of degree d in these inputs. The inputs are distrib- tions, simply by not encrypting the coefficients of the uted with entropy ρ, where ρ is large enough, as dis- function. cussed in section 2.3 above. In practical terms, ρ 32 Catalano et al. [22] aim to extend a linearly homo- ≥ will provide sufficient entropy for strong security, since morphic system, such as Paillier [63], to compute mul- breaking the system would require more than a billion tivariate quadratics homomorphically. However, their guesses. Our HE scheme is the system (KGen, Pgen, extension relies on pre-computing a product for each Enc, Dec, Add, Mult). pair of plaintexts and then applying a linear function on the encryption of these products. As such, it does not extend the underlying linear encryption scheme and 3.1.1 Key and Parameter Generation is not multiplicatively homomorphic. They claim that their system can compute any degree 2 polynomial with Let λ be a security parameter, measured in bits. Let p at most one multiplication. However, it is not clear how and q be randomly chosen large distinct primes such they would compute the polynomial m1 (m2 +...+m ) · n that p [2λ−1, 2λ], and q [2η−1, 2η], where η without performing n 1 offline multiplications. By con- ∈ ∈ ≈ − λ2/ρ λ. Here λ must be large enough to negate direct trast, our scheme would only require one multiplication. − factorisation of pq (see [55]), and p and q are chosen to In [21], Catalano et al. extend their approach to cubics. negate Coppersmith’s attack [29]. We will also require Zhou and Wornell [85] construct a scheme based on p> (n + 1)dM d to ensure that P (m , m , . . . , m )

Algorithm 2: Pgen: Parameter Generation Algorithm 4: Dec: Decryption algorithm Algorithm Input : c ∈C Input : λ ∈S Input : p: secret key Input : ρ ∈ Z: entropy of inputs Output: m ∈M Input : p: secret key 1 m ← c (mod p) Output: modulus ∈ Z: public modulus 2 return m 1 η ← λ2/ρ − λ η−1 η 2 q ←p [2 , 2 ] 3 modulus ← pq 4 return modulus 3.1.5 Addition

The sum modulo pq of two ciphertexts, c = m + rp ′ ′ ′ 3.1.2 Security parameters and c = m + r p, is given by Add (Algorithm 5). Since

We can easily set the security parameters λ and η to Algorithm 5: Add: addition algorithm practical values. To recap, n is the number of inputs, Input : c ∈C M is an exclusive upper bound on the inputs, d is the ′ Input : c ∈C degree of the polynomial we wish to calculate. We take Input : modulus ∈ Z: public modulus 2 p 2λ and then q 2η, where η = λ /ρ λ, to guard Output: result ∈C ≈ ≈ − ′ against the attacks of [28,50]. 1 result ← c + c (mod modulus) For HE1, we assume M 2ρ, n √M. Therefore, 2 return result ≈ ≤ p> (n + 1)dM d (nM)d for large n. ≈ ′ ′ ′ ′ ′ So, we may take Add(c,c ) = c + c = m + m + (r + r )p, Add(c,c ) decrypts to m + m′, provided m + m′ M 3d/2 23dρ/2 ≈ i.e. λ 3dρ/2 ≈ 3.1.6 Multiplication λ2 3dλ 3dρ 3d and η λ = λ = 1 ≈ ρ − 2 − 2  2 −  The product modulo pq of two ciphertexts, c = m + rp and c′ = m′ + r′p, is given by Mult (Algorithm 6). If n √M, M 2ρ then we may take λ 3dρ/2 ′ ′ ′ ′ ′ ′ ≈ ≈ ≈ Since Mult(c,c )= cc = mm +(rm + r m + rr p)p, it and η 3dλ/2 λ. For, example, if ρ = 32, d = 4, we ≈ − can take any λ> 192, η > 960. Note that λ scales linearly with d and η scales quad- Algorithm 6: Mult: multiplication algorithm ratically. These bounds carry over to HE2 and HEk. Input : c ∈C Input : c′ ∈C 3.1.3 Encryption Input : modulus ∈ Z: public modulus Output: result ∈C ′ 1 result ← cc (mod modulus) We encrypt a plaintext integer m using Enc (Algorithm 2 return result 3).

′ ′ Algorithm 3: Enc: Encryption algorithm decrypts to mm , provided mm

Definition 1 (Partial approximate common di- visor problem.) Suppose we are given one input x0, 3.1.4 Decryption of the form pr0, and n inputs xi, of the form pri + mi, i [1,n], where p is an unknown constant integer and ∈ We decrypt the ciphertext c using Dec (Algorithm 4). the mi and ri are unknown integers. We have a bound 8 James Dyer et al.

B such that m < B for all i. Under what conditions Proof Suppose that we have an unknown plaintext m, | i| on the m and r , and the bound B, can an algorithm encrypted as c = m + rp mod pq, where r $ [1,q). i i ← be found that can uniquely determine p in time poly- If we can factor pq in polynomial time, we can de- nomial in the total bit length of the involved? termine p and q in polynomial time, since we know p

Algorithm 7: KGen: Key Generation Al- 3.2.4 Arithmetic gorithm Input : λ ∈S Addition and multiplication of ciphertexts is given by Input : ρ ∈ Z: entropy of input Algorithms 5 and 6. Input : ρ′ ∈ Z: effective entropy of inputs Output: (κ,p): secret key λ−1 λ 1 p ←p [2 , 2 ] 3.2.5 Security. ′ 2 ν ← ρ − ρ ν−1 ν 3 κ ←p [2 , 2 ] The use of random noise gives the encryption the follow- 4 return (κ,p) ing “indistinguishability” property, which we will use to show that HE1N satisfies IND-CPA [6,7].

Algorithm 8: Pgen: Parameter Generation Lemma 2 For any encryption c, c mod κ is polyno- Algorithm mial time indistinguishable from the uniform distribu- Input : λ ∈S tion on [0,κ). Input : ρ′ ∈ Z: effective entropy of inputs Input : (κ,p): secret key Proof Let c = m + sκ + rp = m + rp mod κ, where Output: modulus ∈ Z: modulus for arithmetic 2 ′ r $ [1,q). Then, for i [0,κ), 1 η ← λ /ρ − λ η−1 η ← ∈ 2 q ←p [2 , 2 ] 3 modulus ← pq Pr c mod κ = i) = Pr(m + rp = i mod κ 4 return modulus = Pr r = p−1(i m) mod κ − q/κ 1/q, q/κ 1/q  ∈ ⌊ ⌋ ⌈ ⌉ [1/κ 1/q, 1/κ + 1/q ], 3.2.2 Encryption ∈ − where the inverse p−1 of p mod κ exists since p is a We encrypt plaintext m using Enc(Algorithm 9). prime. Hence the total variation distance from the uni- form distribution is

−1 Algorithm 9: Enc: Encryption Algorithm κ 1 Pr c mod κ = i) 1/κ < κ/q. Input : m ∈M 2 | − | =0 Input : (κ,p): secret key Xi Input : modulus: public modulus Output: c ∈C This is exponentially small in the security parameter 1 q ← modulus/p λ of the system, so the distribution of c mod κ cannot 2 r ←$ [1,q) be distinguished in polynomial time from the uniform 3 s ←$ [0,κ) distribution. 4 c ← m + sκ + rp (mod modulus) ⊓⊔ 5 return c We can further show that an adversary learns noth- ing about the plaintexts from the size of the corres- ponding ciphertexts.

Lemma 3 The ciphertexts c1,c2 for any plaintexts m1, m2 satisfy 3.2.3 Decryption 1 1 Pr(c1 c2) . We decrypt ciphertext c using Dec(Algorithm 10). ≥ ≤ 2 ± 2q Proof

Algorithm 10: Dec: Decryption Algorithm Pr(c1 c2) = Pr(m1 + s1κ + r1p m2 + s2κ + r2p) Input : ≥ ≥ c ∈C Pr(r p r p κ2) Input : (κ,p): secret key 1 2 ≤ ≥ −2 Output: m ∈M = Pr(r1 r2 κ /p) 1 m ← (c mod p) mod κ ≥ − 2 = Pr(r1 r2), since κ /p < 1 2 return m ≥ q i 1 q(q + 1) 1 1 = = = + q · q q2 2 2q Xi=1 10 James Dyer et al.

Similarly, Therefore, if is a polynomial time adversary, from A Lemmas 2 and 3 the advantage of , is: 1 1 A Pr(c2 c1) + 2 2q ind-cpa κ 1 2κ + 1 ≥ ≤ Adv (λ) 2 + 1= = negl(λ) 1 1 A,HE1N ≤  q 2q  − q = Pr(c1 c2) ⇒ ≥ ≤ 2 − 2q ⊓⊔ So, Therefore, HE1N is resistant to both the “guessing” 1 1 and “collision” attacks discussed in section 3.1. Pr(c1 c2) ≥ ≤ 2 ± 2q Lemma 4 Decrypting HE1N without knowledge of κ is polynomial time Turing equivalent to GACDP. ⊓⊔ We now proceed to the proof of IND-CPA. First, we Proof Suppose we can solve GACDP instances in poly- define the general approximate common divisor problem nomial time. If p is unknown, we have an instance of (GACDP)[50,24,28]. GACDP with offsets mi + siκ and approximate divisor p. We can solve this to obtain the offsets mi + siκ. Definition 3 (General approximate common di- These offsets form a new instance of GACDP with off- visor problem.) Suppose we are given n inputs x , of i set mi and approximate divisor κ. We can then solve the form pr +m , i [1,n], where p is an unknown con- i i ∈ this to obtain mi. If p is known, we need only solve the stant integer and the m and r are unknown integers. i i mi + siκ GACDP instance. Hence, we can decrypt any We have a bound B such that m 2, described in section 5.2. ′ ′ mial time indistinguishable from m2, m1, since they are indistinguishable from two independent samples from 3.2.7 Noise Growth uniform [0,κ). Therefore, in polynomial time, we will not be able to distinguish between the encryption c1 of So that the “noise” terms of the ciphertext do not grow m1 and the encryption c2 of m2. sufficiently large to cause the computational result to Practical Homomorphic Encryption Over the Integers for SecureComputationintheCloud 11 overflow the secret modulus p, we need to control the HE1 and HE1N. In both schemes presented below, HE2 growth of these terms. As a we are computing a poly- and HE2N, we add a further vector term, with two fur- nomial of degree d, each multiplication doubles the bit ther secret parameters. The two schemes presented be- length of the noise terms and each addition adds at low have a constant factor overhead for arithmetic op- most one bit. erations. An addition operation in the plaintext space To avoid overflow, as stated earlier, we set p> (n + requires two additions in the ciphertext space, and a d 2 d 1) (M + κ ) so that P (m1 + s1κ, m2 + s2κ, . . . , mN + multiplication in the plaintext space requires nine mul- snκ) < p. This is a worst case bound, based on the tiplications and four additions in the ciphertext space. largest possible coefficient of any term. Depending on the particular polynomial to compute, a lower bound 4.1 Sufficient entropy (HE2) on p may suffice to avoid overflow. As noted above, in this scheme we now add a multiple 3.2.8 Security parameters T of a secret vector, a =[a1a2] , to the ciphertext. There- fore, we encrypt m as Again, we can set the security parameters λ and η to practical values. For HE1N, we assume M 2ρ, and c =(m + rp)1 + sa, ′ ≈ we have ρ = ρ + lg κ. Now, T where 1 is the vector [1 1] and s $ [0,pq). As with ← d d d HE1, it is assumed that the inputs m (i [1,n]) are κ> (n + 1) M (nM) for large n, i ∈ ≈ of sufficient entropy. i.e. lg κ d(lg n + ρ) ≈ We decrypt c by eliminating a1 and a2 from the Therefore, since ρ = ρ′ lg κ, ciphertext and then taking the residue modulo p, i.e. − m = γT c mod p, lg κ>d lg n + d(ρ′ lg κ) − T −1 ′ where γ =(a2 a1) [a2 a1]. d(lg n + ρ ) − − i.e. lg κ We can easily see that this construction is homo- ≈ d + 1 morphic over addition. For HE2, we now define mul- Since κ is much larger than M, we also have tiplication of ciphertexts, c1 and c2 as the Hadamard λ d 2 d 2 d (elementwise) product of the augmented ciphertext vec- p = 2 > (n + 1) (M + κ ) (nκ ) for large n T ≈ tors c1⋆ and c1⋆ where the augmentation of c =[c1 c2] T i.e. λ d(lg n + 2 lg κ), is given by c =[c1 c2 c3] , where c3 = 2c1 c2. ≈ ⋆ − λ2 3dλ 3dρ′ 3d However, this Hadamard product will include addi- and η ′ λ = λ = 1 2 2 ≈ ρ − 2 − 2  2 −  tional a1 and a2 terms which means it is not a valid ciphertext. Therefore we re-encrypt by applying a mat- Then we can calculate η as for HE1 above. Again, λ rix R to the Hadamard product to eliminate these quad- scales linearly with d and η scales quadratically. These ratic terms. The construction of R is detailed in sections bounds carry over to HE2N and HEkN. 4.1.1 and 4.1.5. If we assume M 2ρ and large enough n, as in ≈ ′ section 3.1, then we may take lg κ>d(lg n + ρ), ρ = 4.1.1 Key and Parameter Generation ρ+lg κ, λ>d(lg n+2 lg κ). Then, for example, if d = 3, lg n = 16, ρ = 8, then lg κ > 72, ρ′ = 80, λ > 480, p and q are randomly chosen by KGen (Algorithm 11) η > 2400. In the extreme case that the inputs are bits, according to the bounds given in section 3.1. KGen sets T so ρ = 1, and d = 3, lg n = 16, then we can take a = [a1 a2] , where ai $ [1,pq) (i [1, 2]) such that ′ ← ∈ 3 lg κ 51 and ρ 52, and we have λ> 354, η > 2056, a1,a2,a1 a2 = 0 (mod p and mod q). ≈ ≈ − 6 which is only 15% smaller than for ρ = 8. Pgen(Algorithm 12) generates R, the re-encryption We must also ensure that κ is large enough to make matrix. the GACDP instances hard to solve (see [24,28,50] for details). Note that κ q for Theorem 2 to hold. 4.1.2 Encryption ≪ We encrypt a plaintext integer m as the 2-vector c us- 4 Adding a dimension ing Enc(Algorithm 13), where 1 = [1 1]T r and s are

3 In this section we discuss adding an additional dimen- The condition a1,a2,a1 − a2 =6 0, (mod p, mod q) fails with exponentially small probability 3(1/p + 1/q). Thus, sion to the ciphertext, which becomes a 2-vector. The a1 and a2 are indistinguishable in polynomial time from purpose of this is to increase the level of security beyond a1,a2 ←$ [0,pq). 12 James Dyer et al.

Algorithm 11: KGen: Key Generation Al- ditional on r, gorithm Pr[m + rp + sa = i mod pq]= Input : λ ∈S 1 Input : ρ ∈ Z: entropy of inputs Pr[s = a−1(i m rp) mod pq] = . Output: (p, a): secret key − − pq Output: modulus: public modulus λ−1 λ 1 p ←p [2 , 2 ] Since this holds for any i [0,pq), m+ra+sp mod pq 2 ∈ 2 η ← λ /ρ − λ is a uniformly random integer from [0,pq). η−1 η 3 q ←p [2 , 2 ] ⊓⊔ 4 modulus ← pq Note, however, that the components of the ciphertexts 5 repeat are correlated, and this may be a vulnerability. We dis- 6 ai ←$ [1, modulus) (i ∈ [1, 2]) 7 until a1,a2,a1 − a2 =06 (mod p and mod q) cuss this later in this section (“Cryptanalysis”). T 8 a ← [a1 a2] 9 return (p, a), modulus 4.1.3 Decryption

To decrypt, we use Algorithm 14. We call γ the decryp- Algorithm 12: Pgen: Parameter Generation tion vector. Algorithm Input : (p, a): secret key Input : modulus: public modulus Algorithm 14: Dec: Decryption Algorithm Output: R: public re-encryption matrix Input : c ∈C 1 q ← modulus/p Input : (p, a): secret key 2 2 β ← 2(a2 − a1) Output: m ∈M 3 $ T −1 ̺ ← [0,q) 1 γ ← (a2 − a1) [a2 − a1] 4 σ ←$ [0, modulus) 2 m ← γT c mod p −1 2 5 α1 ← β (σa1 + ̺p − a1) 3 return m −1 2 6 α2 ← β (σa2 + ̺p − a2) 1 − 2α1 α1 α1 7 R ←  −2α2 α2 +1 α2  8 return R 4.1.4 Addition

Algorithm 13: Enc: Encryption Algorithm We define the addition operation on ciphertexts as the Input : m ∈M vector sum modulo pq of the two ciphertext vectors c Input : (p, a): secret key and c′. Input : modulus: public modulus Output: c ∈C 1 q ← modulus/p Algorithm 15: Add: addition algorithm 2 r ←$ [0,q) 3 s ←$ [0, modulus) Input : c ∈C ′ 4 c ← (m + rp)1 + sa (mod modulus) Input : c ∈C 5 return c Input : modulus ∈ Z: modulus for arithmetic Output: result ∈C ′ 1 result ← c + c (mod modulus) 2 return result independent. We note that two encryptions of the same plaintext are different with very high probability. Therefore, if inputs m, m′ encrypt as (m+rp)1+sa, Theorem 3 The encryption scheme produces cipher- (m′ + r′p+)1 + s′a, texts with components which are random integers mod- Add(c, c′)= c + c′ =(m + m′ +(r + r′)p)1 +(s + s′)a. ulo pq. which is a valid encryption of m + m′. Proof Consider a ciphertext vector which encrypts the plaintext, m, and the expression m + rp + sa mod pq 4.1.5 Multiplication which represents one of its elements. Then r $ [0,q), ← T s $ [0,pq). If c =[c1 c2] , we construct the augmented ciphertext ← −1 T Consider first m + sa. We know that a mod pq vector, c = [c1 c2 c3] , where c3 = 2c1 c2. Thus, ⋆ − exists because a = 0 (mod p and mod q). Thus, con- c3 =(m + rp)+ sa3 mod pq, for a3 = 2a1 a2. 6 − Practical Homomorphic Encryption Over the Integers for SecureComputationintheCloud 13

Now, consider the Hadamard product modulo pq, Observe that α1,α2 in R are public, but give only ′ c⋆ c⋆, of the two augmented ciphertext vectors c⋆ and two equations for the four parameters of the system ′◦ c⋆ : a1,a2, σ, ̺p. These equations are quadratic mod pq, so ′ solving them is as hard as semiprime factorisation in c1c1 ′ ′ the worst case [66]. z⋆ = c⋆ c = c2c  mod pq ◦ ⋆ 2 Also, observe that, independently of a, c c′  3 3 Rc⋆ =(m + rp)R1⋆ + sRa⋆ =(m + rp)1 + sa = c, Therefore, if inputs m, m′ are encrypted as (m + ′ ′ ′ rp)1 + sa, (m + r p)1 + s a, we first calculate for any ciphertext c. Hence re-encrypting a ciphertext ′ ′ gives the identity operation, and discloses no informa- z⋆ =(m + rp)(m + r p)1⋆ ′ ′ ′ ′ ◦2 tion. + [(m + rp)s +(m + r p)s]a⋆ + ss a⋆ ′ ′ ◦2 =(mm + r1p)1⋆ + s1a⋆ + ss a mod pq, ⋆ Algorithm 16: Mult: multiplication algorithm ′ ′ ′ ′ ′ T where r1 = mr + m r + rr p, s1 =(m + rp)s +(m + Input : c =[c1 c2] ∈C ′ ◦2 2 2 2 T ′ ′ ′ T r p)s, and a⋆ =[a1 a2 a3] . Input : c =[c1 c2] ∈C ′ Input : modulus ∈ Z: public modulus As we can see, z⋆ is not a valid encryption of mm . ◦2 Input : R: re-encryption matrix We need to re-encrypt this product to eliminate the a⋆ Output: result ∈C term. 1 c3 ← 2c1 − c2 T We achieve this by multiplying z⋆ by R. It is easy 2 c⋆ ← [c1 c2 c3] ′ ′ ′ 3 c3 ← 2c1 − c2 to check that R1⋆ = 1 and Ra⋆ = a, independently of ′ ′ ′ ′ T 4 c⋆ ← [c1 c2 c3] a1,a2. Now ′ 5 result ← R(c⋆ ◦ c⋆) (mod modulus) ◦2 2 2 2 6 return result (Ra⋆ )1 = (1 2α1)a1 + α1a2 + α1(2a1 a2) 2 − 2 2 −2 = a1 + α1((2a1 a2) + a2 2a1) 2 − 2 − = a1 + 2α1(a2 a1) 2 − = a1 + α1β 4.1.6 Hardness = ̺p + σa1 ◦2 2 2 2 We can show that this system is at least as hard as (Ra⋆ )2 = 2α2a1 +(α2 + 1)a2 + α2(2a1 a2) −2 2 2 2 − SPACDP. In fact, = a2 + α2((2a1 a2) + a2 2a1) 2 − 2 − Theorem 4 SPACDP is of equivalent complexity to = a2 + 2α2(a2 a1) − the special case of HE2 where δ = a2 a1 (0 <δ

−1 (i = 1, 2,...,n). Determining the mi + δ (ci2 ci1)a 4.2 Insufficient entropy (HE2N) −1 − from the m + δ (c 2 c 1)a + r p (i = 1, 2,...,n) can i i − i i be done using SPACDP. However, we still need to de- In this section we extend HE1N above (section 3.2) to termine a in order to determine mi. This can be done two dimensions. As with HE1N, we now encrypt by also by “deciphering” R using SPACDP. We have adding a multiple of κ to produce the ciphertext 2 2 2 2 2δ α1 = σa a +̺p, 2δ α2 = σ(a+δ) (a+δ) +̺p, − − c =(m + rp + sκ)1 + ta. 2 2 so σ = 2δ (α2 α1) 2δa δ . Now a can be determined − − − 2 We decrypt by eliminating a and a , as in HE2, but we by first determining m0 = a(2δ (α2 α1) (2δ + 1)a 1 2 2 2 − − − now take residues modulo p and modulo κ to recover δ ) from m0 + ̺p = 2δ α1. This can be done using SPACDP. Then a can be determined by solving the the plaintext, 2 quadratic equation m0 = a(2δ (α2 α1) (2δ + 1)a − − − γT δ2) mod p for a. This can be done probabilistically in m =( c mod p) mod κ. polynomial time using, for example, the algorithm of Our addition and multiplication operations are identical Berlekamp [10]. So the case a =[a a + δ]T , with known to HE2 above. δ, can be attacked using SPACDP on the system m + ̺p, m + δ−1(c c )a + r p,..., 0 1 11 12 1 4.2.1 Key and Parameter Generation. −1 − m + δ (c 1 c 2)a + r p. n n − n n KGen (Algorithm 17) randomly chooses p,q and κ ac- ⊓⊔ cording to the bounds given in section 3.2. R is gen- Without knowing the parameter δ = a2 a1, HE2 erated by Pgen (which exactly the same as Algorithm − cannot be reduced to SPACDP in this way, so HE2 is 12). The secret key is (κ,p, a), and the public paramet- more secure than HE1. ers are pq and R, defined in section 4.1.

4.1.7 Cryptanalysis. Algorithm 17: KGen: Key Generation Al- Each new ciphertext c introduces two new unknowns gorithm r, s and two equations for c1,c2. Thus we gain no addi- Input : λ ∈S tional information from a new ciphertext. However, if Input : ρ ∈ Z: entropy of input ′ we can guess, m, m′ for any two ciphertexts c, c′, then Input : ρ ∈ Z: effective entropy of inputs Output: (κ,p, a): secret key (c1 m)= rp + sa1, (c2 m)= rp + sa2, Output: modulus: public modulus − − ′ (c′ m′)= r′p + s′a , (c′ m′)= r′p + s′a , 1 ν ← ρ − ρ 1 1 2 2 ν−1 ν − − 2 κ ←p [2 , 2 ] λ−1 λ and so we have 3 p ←p [2 , 2 ] ′ 4 η ← λ2/ρ − λ ′ ′ ′ ′ η−1 η (c1 m)(c2 m ) (c2 m)(c1 m ) 5 q ←p [2 , 2 ] − − − − −′ ′ 6 modulus ← pq =(a2 a1)(rs r s)p (mod pq). − − 7 repeat ′ ′ 8 a ←$ [1, modulus) (i ∈ [1, 2]) Since a2 = a1, and sr = s r with high probability, this i 6 6 9 until a1,a2,a1 − a2 =06 (mod p and mod q) is a nonzero multiple of p, νp say. We may assume ν

Enc matrix with entries 0, 1, 2, and whose first k rows form Algorithm 18: : Encryption Algorithm ± the k k identity matrix I . For example, if k = 3, Input : m ∈M × k Input : (κ,p, a): secret key Input : modulus: public modulus 1 0 0 Output: c ∈C  0 1 0  1 q ← modulus/p 0 0 1 2 r ←$ [0,q) U3 =    2 1 0  3 s ←$ [0,κ)  −   2 0 1  4 t ←$ [0, modulus)  −  5 c ← (m + rp + sκ)1 + ta (mod modulus)  0 2 1    6 return c − k Note that v⋆ = Ukv implies that 1⋆ is the 2 vector of 1’s, and that is a linear mapping, i.e. (r1v1 + r2v2)⋆ = Algorithm 19: Dec: Decryption Algorithm ∗ r1v1∗ + r2v2∗. Input : c ∈C Input : (κ,p, a): secret key Output: m ∈M 5.1.1 Key Generation T −1 1 γ ← (a2 − a1) [a2 − a1] 2 m ← (γT c mod p) mod κ 3 return m Algorithm 20: KGen: Key Generation Al- gorithm 4.2.4 Arithmetic. Input : λ ∈S Input : ρ ∈ Z: entropy of inputs Output: (p, a1,..., ak−1): secret key Addition and multiplication of ciphertexts are done us- Output: modulus: public modulus λ−1 λ ing algorithms Add and Mult (which are exactly the 1 p ←p [2 , 2 ] same as Algorithms 5 and 16). 2 η ← λ2/ρ − λ η−1 η 3 q ←p [2 , 2 ] 4 modulus ← pq 4.2.5 Security. 5 a0 ← 1 6 repeat k HE2N has all the properties of HE1N. However, it is 7 aj ←$ [1, modulus) ,j ∈ [1,k) 8 until a ,j ∈ [0,k), form a basis for Zk more secure, since there is an additional unknown para- j pq 9 return (p, a1,..., ak−1), modulus meter in the ciphertext. We also note that HE2N satis- fies Theorem 2, so it inherits the IND-CPA property.

KGen is detailed in Algorithm 20. It chooses p and q 4.2.6 Noise Growth randomly, according to the bounds given in section 4.1. In addition to choosing p and q, KGen also randomly The “noise” grows as detailed in section 3.2.7. chooses vectors a1,..., ak−1 such that a0, a1,..., ak−1 k form a basis for Zpq, where a0 = 1, the k-vector whose elements are all 1. We denote Ak as the k k matrix 5 Generalisation to k dimensions × [a0 a1 ... a −1] where the columns of A are the a ,i k k i ∈ [0,k). We show that the probability that a ,..., a In this section, we generalise HE2 and HE2N to k- 1 k−1 do not form a basis is negligible for large p and q in vectors. HE1 and HE1N are the cases for k = 1 and Lemma 5. HE2 and HE2N are the cases for k = 2.

Lemma 5 Pr(a0, a1,..., ak−1 do not form a basis for k Zpq) (k 1)(1/p + 1/q). 5.1 Sufficient entropy (HEk) ≤ − −1 Proof The a’s are a basis if Ak exists, since then v = −1 −1 We generalise HE2 to k dimensions. We extend our Akr when r = Ak v, for any v. Now Ak exists mod −1 definition of an augmented vector v⋆, for a k-vector, pq if (det Ak) mod pq exists, by constructing the ad- v, such that v is a k+1 -vector, with components v jugate of A . Now (det A )−1 mod pq exists if det A = ⋆ 2 i k k k 6 (1 i k) followed by 2v v (1 ik, vℓ = 2vi vj, where j

k a mod p $ [0,p) and a mod q $ [0,q). Hence, us- Proof We have v = A r for some r Z . Then A = ij ← ij ← k ∈ pq ⋆k ing the Schwartz-Zippel Lemma (SZL) [61], we have UkAk and v⋆k = Ukv, so Rv⋆ = RUkv = RUkAkr = Pr(det A = 0mod p) (k 1)/p and Pr(det A = RA r = A r = v. k ≤ − k ⋆k k ⊓⊔ 0 mod q) (k 1)/q, and it follows that ≤ − −1 This guarantees that re-encrypting a ciphertext by ap- Pr(∄ (det Ak) mod pq) (k 1)(1/p + 1/q). ≤ − ⊓⊔ plying R reveals no new information. ◦2 Pgen returns a valid matrix R provided the A⋆k has 5.1.2 Parameter Generation an inverse. We prove that this is true with high prob- ability in Theorem 5. In the unlikely event that this is not true, Pgen exits and we use KGen to generate new Algorithm 21: Pgen: Parameter Generation vectors a1,..., ak−1 until it is. Algorithm ◦2 Theorem 5 A⋆k has no inverse modpq with probabil- Input : (p, a1,..., ak−1): secret key ity at most (k2 1)(1/p + 1/q). Input : modulus: public modulus − Output: R: public re-encryption matrix 1 q ← modulus/p Proof We use the same approach as in Lemma 5. Thus ◦2 ◦2 2 a0 ← 1 A is invertible provided det A = 0 (mod p) and ⋆k ⋆k 6 3 Ak ← [a0 a1 ... ak−1] ◦2 det A⋆k = 0 (mod q). Let A denote the vector of aij’s, 4 foreach j ∈ [0,k) do 6 ◦2 (aij : 1 i k, 1 j

Note that Theorem 5 subsumes Lemma 5, since the 5.1.7 Multiplication ◦2 first k columns of A⋆k contain Ak as a submatrix, and must be linearly independent. Consider a Hadamard product of two augmented cipher- text vectors, c c′ . For notational brevity, letm ˜ = ⋆ ◦ ⋆ m + rp. 5.1.3 Computational overhead

c c′ = m˜ 1 + k−1 s a m˜ ′1 + k−1 s′ a The computational overhead increases, since the num- ⋆ ◦ ⋆ ⋆ j=1 j ⋆j ◦ ⋆ j=1 j ⋆j ber of arithmetic operations per plaintext multiplica- ′ P k−1 ′ ′ P  =m ˜ m˜ 1⋆ + j=1 (ms ˜ j +m ˜ sj)a⋆j tion is O(k3), and the space requirement per ciphertext + k−P1 s s′ a a is O(k), by comparison with HE1. j=1 j j ⋆j ◦ ⋆j + P (s s′ + s′ s )a a , 1≤i

A plaintext, m [0,M], is enciphered as c, a k- R(c c′ )=(mm′ +rp ˆ )1 + k−1 sˆ a ∈ ⋆ ⋆ j=1 j j vector, using Algorithm 22. ◦ + sˆ RP(a a ), 1≤i≤j≤k−1 ij ⋆i ◦ ⋆j P 5.1.5 Decryption. wherer ˆ,s ˆ ands ˆ (1 i

RA◦2 = [A C ] . 5.1.6 Addition. ⋆k k | k Addition is the vector sum of the ciphertext vectors as which by construction of R (Algorithm 21) has a solu- in HE2 (see section 4.1). The Add algorithm is identical tion. to Algorithm 15 with the exception that the vectors The multiplication algorithm Mult is given by Al- involved are k-vectors rather than 2-vectors. gorithm 24. 18 James Dyer et al.

Algorithm 24: Mult: multiplication algorithm Proof From Lemma 5, det A =0 mod p or det A = 0 T mod q with probability at most (k 1)(1/p + 1/q). Input : c =[c1 c2] ∈C ′ ′ ′ T − Input : c =[c1 c2] ∈C So det A is not zero or a divisor of zero mod pq. The Input : modulus ∈ Z: public modulus entries of W ′ are random [0,pq), and det W ′ is a poly- Input : R: re-encryption matrix nomial of total degree k in its entries. It is a nonzero Output: result ∈C ′ polynomial, since W = Ik is possible. Hence, using the 1 c⋆ ← Ukc ′ ′ ′ ′ 2 c⋆ ← Ukc SZL [61], Pr(det W = 0 mod p) k/p and Pr(det W = ′ ′ ≤ 3 result ← R(c⋆ ◦ c⋆) (mod modulus) 0 mod q) k/q. So det W is zero or a divisor of zero 4 ≤ return result mod pq with probability at most k(1/p + 1/q). So we have det A det W ′ = 0 mod pq with probability at most (2k 1)(1/p + 1/q). So det C = 0 with high probabil- − 6 5.1.8 Security ity. ⊓⊔ We construct R so that it satisfies Equation 4: Once we have recovered p, we can use the known mi to determine the decryption vector γ, by solving a ◦2 RA⋆k = [Ak Ck] . (4) set of linear equations. Let C0 = [c1 c2 ... ck], and | T m =[m1 m2 . . . mk]. k+1 k+1 which gives k 2 linear equations for the k 2 ele- ments of R in terms of quadratic functions of the k(k Lemma 8 Pr(det C0 = 0mod pq) (2k 1)(1/p + − ≤ − 1) a ’s (1 i k, 1 j k 1), which are undeter- 1/q). ij ≤ ≤ ≤ ≤ − mined. Thus the system has k(k 1) parameters that − Proof Note that C0 = C if m1 = m2 = = m = 0. cannot be deduced from R. ··· k Since Lemma 7 holds in that case, the result follows. Each c introduces k new parameters rp,s1,...,sk−1 and k equations, so the number of undetermined para- ⊓⊔ meters is always k(k 1). − Thus, with high probability, we can uniquely solve the T T system γ C0 = m mod p, to recover γ and enable 5.1.9 Cryptanalysis decryption of an arbitrary ciphertext. However, encryp- tion of messages is not possible, since we gain little Note that p can be determined from mi for k cipher- information about a1,..., ak. Note also that, if we de- texts. Let termined p by some means other than using k known plaintexts, it is not clear how to recover γ. C =[c1 m11 ... c m 1], − k − k To break this system, we need to guess k plaintexts. Ak =[1 a1 ... ak−1], The entropy of a k-tuple of plaintexts (m1, m2, . . . , mk) is kρ, so effectively we need µk guesses, where µ is the and let number of guesses needed to break HE1. So HEk can tolerate much smaller entropy than HE1, provided k r1p r2p ... r p k is large enough. If k is sufficiently large, the scheme  s1,1 s2,1 ... sk,1  W = . . , appears secure without adding noise, but does not have  . .  the other advantages of adding noise.    s s ... s   1,k−1 2,k−1 k,k−1  5.1.10 Fixing an insecurity for k > 2 r1 r2 ... rk −1 s1 1 s2 1 ... s 1 T ′  , , k,  The decryption vector for HEk is γ = (Ak )1. Note W = . . , T T . . that γ 1 = 1 and γ ai = 0(i [1,k 1]), since  . .  ∈ −   γT a  s s ... s  i = I1i (i [0,k 1]). The equations  1,k−1 2,k−1 k,k−1  ∈ − k−1 where ri,sij refer to ci. Then C = AkW , and so det C = R(a⋆i a⋆j) = p̺ij 1 + l=1 σijl al, (5) ′ ◦ det Ak det W . Note that det W = p det W , so det C P define a product on Zk so that c c′ = R(c c′ ). This is a multiple of p. Now det C can be determined in · pq · ⋆ ◦ ⋆ O(k3) time and, if it is nonzero, p can be determined product is linear, commutative and distributive, since R and ⋆ are linear operators, and is commutative as gcd(det C,pq). ◦ and distributive. So we have an algebra , with unit Ak Lemma 7 Pr(det C = 0mod pq) (2k 1)(1/p + element 1 [72]. The ̺ ,σ (i,j,l [1,k 1]) are the ≤ − ij ijl ∈ − 1/q). structure constants of the algebra. In general, will Ak Practical Homomorphic Encryption Over the Integers for SecureComputationintheCloud 19

Algorithm 25: Pgen: Parameter Generation method to determine p, and then γ, as described in Algorithm (Revised) section 5.1.9. In fact all we need is that (6) holds for any associator. That is, for all c1, c2, c3, we need Input : (p, a1,..., ak−1): secret key Input : modulus: public modulus T T γ ((c1 c2) c3) = γ (c1( c2 c3)) (mod pq), Output: R: public re-encryption matrix · · · · 1 q ← modulus/p 2 a0 ← 1 or, equivalently, using the Chinese Remainder Theorem, 3 Ak ← [a0 a1 ... ak−1] 4 foreach j ∈ [0,k) do T T 5 a⋆j ← Ukaj γ ((c1 c2) c3) = γ (c1 (c2 c3)) (mod q). (7) 6 end · · · · 7 foreach i,j ∈ [0,k), 0 ≤ i ≤ j

Lemma 10 Let τ, ̺ $ [0,q) (i [1,k 1]), let ̺ = Therefore, Pgen, which generates R, is Algorithm 21. i ← ∈ − ij k−1 sk a a ̺i̺j mod q, and let the σijl satisfy l=1 σijl ̺l = τ̺i̺j The secret key, ,is(κ, p, 1, ..., k−1), and the public (mod q) for all i,j [1,k 1]. Then,P for all i,j,ℓ parameters are pq and R. ∈ − ∈ [1,k 1], γT (a (a a )) = τ̺ ̺ ̺ mod q, the sym- − i · j · l i j l metry of which implies (8). 5.2.2 Encryption

Proof We have γT (a a ) = p̺ = p̺ ̺ for all j,ℓ j · l ij j l ∈ [1,k 1]. Hence, mod q, − Algorithm 27: Enc: Encryption Algorithm T k−1 Input : m ∈M γ (ai (aj al)) = p t=1 σjlt̺it · · Input : (p, a1,..., a − ): secret key Pk−1 k 1 = p t=1 σjlt̺i̺t Input : modulus: public modulus P k−1 Output: c ∈C = p̺i t=1 σjlt̺t 1 q ← modulus/p 2 r ←$ [0,q) = p̺iτ̺Pj̺l = pτ̺i̺j̺l. 3 s ←$ [0,κ) Thus the conditions of Lemma 10 are sufficient to re- 4 foreach j ∈ [1,k) do 5 tj ←$ [0, modulus) move the insecurity. The price is that we now have 6 end k k k−1 (k 1) +(k 1) + k(k 1) = (k + 1) + k 1 para- 7 2 2 c ← (m + rp + sκ)1 + j=1 tj aj (mod modulus) − k− − k − meters and k equations. There are  +(k 1) = 8 return c P 2 2 − (k + 2)(k 1)/2 independent parameters.  This is fewer − than the original k(k 1), but remains Ω(k2). − As a result, the parameter generation algorithm Pgen A plaintext, m [0,M], is enciphered by Algorithm ∈ is amended to Algorithm 25. 27.

5.2.3 Decryption 5.2 Insufficient entropy (HEkN)

We generalise HE2N to k dimensions. Algorithm 28: Dec: Decryption Algorithm 5.2.1 Key generation Input : c ∈C Input : (p, a1,..., ak−1)): secret key Output: m ∈M 1 Ak ← [a0 a1 ... ak−1] −1 −1 −1 2 T γ ← (Ak )1 // (Ak )1 is the first row of Ak Algorithm 26: KGen: Key Generation Al- 3 m ← (γT c mod p) mod κ gorithm 4 return m Input : λ ∈S Input : ρ ∈ Z: entropy of inputs ′ Input : ρ ∈ Z: entropy of inputs A ciphertext is deciphered by Algorithm 28. Output: (p, a1,..., ak−1): secret key Output: modulus: public modulus ′ 1 ν ← ρ − ρ 5.2.4 Arithmetic ν−1 ν 2 κ ←p [2 , 2 ] λ−1 λ 3 p ←p [2 , 2 ] The addition and multiplication algorithms are as in 4 η ← λ2/ρ − λ η−1 η section 5.1. 5 q ←p [2 , 2 ] 6 modulus ← pq 7 a0 ← 1 5.2.5 Security 8 repeat k ′ 9 aj ←$ [1, modulus) ,j ∈ [1,k) The effective entropy of HEkN is ρ = k(ρ+lg κ). Thus, 10 Zk until aj ,j ∈ [0,k), form a basis for pq as we increase k, the “noise” term can be made smaller 11 return a a − modulus (p, 1,..., k 1), while still providing the requisite level of entropy. Clearly HEkN also inherits the conclusions of The- orem 2, so this system also satisfies IND-CPA. KGen (Algorithm 26, randomly chooses κ, p and q according to the bounds outlined in section 4.2, and 5.2.6 Noise Growth sets a j. Note that, as a result of adding the “noise” j ∀ term, defence against non-associativity is not required. The “noise” grows as detailed in section 3.2.7. Practical Homomorphic Encryption Over the Integers for SecureComputationintheCloud 21

6 An extension of HE2N using the Chinese Algorithm 30: Pgen: Parameter Generation Remainder Theorem (HE2NCRT) Algorithm

Input : (κ,p1,p2,...,pK , a1,..., aK ): secret key As an interesting aside, we extend HE2N (section 4.2) Input : modulus1, modulus2,..., modulusK : public using a technique inspired by Chinese Remainder The- moduli orem (CRT) secret sharing, so that we compute the Output: R1,R2,...,RK : public re-encryption K matrices final result modulo a product of primes pj rather j=1 1 foreach j ∈ [1,K] do than modulo p, where K is the numberQ of primes. 2 qj ← modulusj /pj 2 In this scheme, we distribute the computation. We 3 βj ← 2(aj2 − aj1) have K sets of processors. Each processor computes 4 ̺j ←$ [0,qj ) 5 σj ←$ [0, modulusj ) arithmetic on ciphertexts modulo pjqj, where pj,qj are −1 6 2 αj1 ← βj (σj aj1 + ̺j p − aj1) suitable primes. Each plaintext is encrypted as K cipher- −1 7 α ← β (σ a + ̺ p − a2 ) texts where each processor receives the jth ciphertext j2 j j j2 j j2 1 − 2αj1 αj1 αj1 vector. Addition and multiplication of ciphertexts on 8 Rj ←  −2αj2 αj2 +1 αj2  processor j is as defined in section 4.1, except that it is 9 end performed modulo pjqj. 10 return R1,...,RK This serves two purposes. The first is to be able to handle larger moduli by dividing the computation into subcomputations on smaller moduli. The second is to it randomly chooses a prime pj such that pj satisfies λ−1 λ mitigate against exposure of the secret key p in the sys- 2 (n + 1) (M + κ ) . pjqj to the jth processor, for j [1,K]. This allows ∈ jY=1 us to replicate the computation where each subcompu- tation is encrypted using different parameters. Thus, It also randomly chooses qj, j [1,K], as for q ∈ T should an attacker compromise one subcomputation, in section 3.1. Finally, it sets aj = [aj1 aj2] , where they may gain no knowledge of other subcomputations. a $ [1,p q ) (j [1,K],k [1, 2]) such that a 1 = jk ← j j ∈ ∈ j 6 a 2 (mod p) and a 1 = a 2 (mod q). j j 6 j 6.0.1 Key Generation The parameter generation routine Pgen (Algorithm 30) generates each re-encrytion matrix R (j [1,K]). j ∈ The secret key, sk,is(κ,p1,...,pK , a1,..., aK ), and the public parameters are p q (j [1,K]) and R (j Algorithm 29: KGen: Key Generation Al- j j ∈ j ∈ gorithm [1,K]). Input : λ ∈S Input : ρ ∈ Z: entropy of input 6.0.2 Encryption Input : ρ′ ∈ Z: effective entropy of inputs Output: (κ,p1,p2,...,pK , a1,..., aK ): secret key Output: modulus1, modulus2,..., modulusK : public moduli ′ Algorithm 31: Enc: Encryption Algorithm 1 ν ← ρ − ρ ν−1 ν Input : m ∈M 2 κ ←p [2 , 2 ] 2 ′ Input : a a 3 η ← λ /ρ − λ (κ,p1,p2,...,pK , 1,..., K ): secret key Input : modulus modulus modulus 4 foreach j ∈ [1,K] do 1, 2,..., K : public λ−1 λ moduli 5 pj ←p [2 , 2 ] η−1 η Output: c1, c2,..., c ∈C 6 qj ←p [2 , 2 ] K 1 foreach j ∈ [1,K] do 7 modulusj ← pj qj 2 8 repeat qj ← modulusj /pj 3 rj ←$ [0,qj ) 9 aj i ←$ [1, modulusj ) (i ∈ [1, 2]) 4 sj ←$ [0,κ) 10 until aj1,aj2,aj1 − aj2 =06 (mod p and mod q) T 5 tj ←$ [0, modulusj ) 11 aj ← [aj1 aj2] 6 c ← (m + r p + s κ)1 + t a (mod modulus ) 12 end j j j j j j j 7 end 13 return (κ, p1, p2, ..., pK , a1, ..., aK ), modulus1, 8 return c1, c2,..., cK modulus2, ..., modulusK

The key generation process, KGen (Algorithm 29) We encrypt an integer, m , as the set of K ∈ M randomly chooses κ as in section 3.2. For all j [1,K], 2-vectors, c using Algorithm 31. ∈ j 22 James Dyer et al.

6.0.3 Decryption Algorithm 34: Multj: multiplication al- gorithm for processor j T Input : cj =[cj1 cj2] ∈C Input : c′ =[c′ c′ ]T ∈C Algorithm 32: Dec: Decryption Algorithm j j1 j2 Input : modulusj ∈ Z: public modulus Input : c1, c2,..., cK ∈C Input : Rj : re-encryption matrix Input : (κ,p1,p2,...,pK , a1,..., aK ): secret key Output: resultj ∈C Output: m ∈M 1 cj3 ← 2cj1 − cj2 K 1 T Π ← j=1 pj 2 cj⋆ ← [cj1 cj2 cj3] ′ ′ ′ 3 2 foreachQ j ∈ [1,K] do cj3 ← 2cj1 − cj2 T −1 ′ ′ ′ ′ 3 γ ← (a − a ) [a − a ] 4 T j j2 j1 j2 j1 cj⋆ ← [cj1 cj2 cj3] T ′ 4 d ← (γ c mod p ) 5 j j j j resultj ← Rj (cj⋆ ◦ cj⋆) (mod modulusj ) 5 Mj ← Π/pj 6 return resultj −1 6 µj ← Mj (mod pj ) 7 end K 8 m ← dj Mj µj (mod Π) (mod κ)   6.0.5 Extending HE2NCRT to k-vectors jP=1 9 return m Clearly HEkN could be extended to HEkNCRT in a similar way to the extension of HE2 to HEk. Future work will discuss the details of such a scheme. To decrypt a set of K ciphertexts we use Algorithm 32. We first decrypt the jth ciphertext of the computa- tional result, cj, as in section 4.1, to give 7 Fully Homomorphic System −1 P =(a 2 a 1) (a 2c 1 a 1c 2) (mod p ), j j − j j j − j j j We return to HEk, presented above in section 5.1. We where P = P (m1, m2, . . . , m ,κ) (mod p ). j n j will show that, for large enough k, this can be made We then use the Chinese Remainder Theorem to into a fully homomorphic system. compute the plaintext as Suppose we have inputs m1, m2, . . . , m , where m n i ∈ K [0,M], i [1,n], p, q are large primes, and we want to P (m1, m2, . . . , mn)= PjMjµj (mod Π) ∈   evaluate an arithmetic circuit, Φ, over the ring Zpq, on Xj=1 these inputs. (mod κ), From [51], the definition of an arithmetic circuit is: −1 where Mj = Π/pj and µj = Mj (mod pj). Note that Definition 4 (Arithmetic Circuits.) An arithmetic µj is a residue rather than a plaintext value. circuit Φ over the ring R and variables X = x1,...,x { n} Note that learning pj on one processor, does not is a directed acyclic graph with every node of in-degree allow an attacker to reconstruct the mi. Rather they either two or zero, labelled in the following manner: only learn mi + sijκ (mod p)j. every vertex of in-degree 0 is labelled by either a vari- able in X or an element of R. Every other node in Φ 6.0.4 Arithmetic has in-degree two and is labelled by either or +. A × circuit Φ computes a polynomial f R[X] in the obvi- ∈ ous manner. An arithmetic circuit is called a formula if the out-degree of each node in it is one (and so the un- Algorithm 33: Addj: addition algorithm for processor j derlying graph is a directed tree). The size of a circuit is the number of nodes in it, and the depth of a circuit Input : cj ∈C ′ is the length of the longest directed path in it. Input : cj ∈C Input : modulusj ∈ Z: modulus for arithmetic Output: resultj ∈C To transform HEk to a fully homomorphic system, ′ 1 resultj ← cj + cj (mod modulusj ) we define encryption of the circuit inputs as in HEk. 2 return resultj Similarly, addition and multiplication of ciphertexts at each arithmetic node of the circuit is defined as in the HEk scheme. This way we are able to compute the Addition of ciphertexts on processor j is performed arithmetic circuit homomorphically. However, this sys- using Algorithm 33. Multiplication of ciphertexts on tem is still “somewhat” homomorphic. If the compu- processor j is performed by Algorithm 34. tational result grows larger than p, we are unable to Practical Homomorphic Encryption Over the Integers for SecureComputationintheCloud 23 successfully decrypt the result. This restricts us to cir- x ∈{α0,α1} cuits of bounded depth to avoid this plaintext blow up. To make it fully homomorphic, we consider Boolean circuits [82]. A Boolean circuit is defined in [82] as: L(x,y) Definition 5 (Boolean circuit.) We define a basis of Boolean functions, B, where each member of B is a function, f : [0, 1]m [0, 1], for some m N. There- → ∈ fore, a Boolean circuit over a basis B, with n inputs and w ∈{γ0,γ1} m outputs, is then defined as a finite directed acyclic Figure 1 A wire from an input graph. Each vertex corresponds to either a basis func- tion, which we call a gate, or one of the inputs, and x ∈{α0,α1} y ∈{β0,β1} there are a set of exactly m nodes which are labeled as the outputs. The edges must also have some ordering, to distinguish between different arguments to the same Boolean function. Q(x,y) We note that any finite computation can be represented as a Boolean circuit. Typically, the basis B will be the Boolean functions, w ∈{γ0,γ1} AND, OR, and NOT. However, a Boolean circuit may be alternatively represented using only NAND gates Figure 2 An output wire on a NAND gate [73]. The indegree of any gate in the directed acyclic graph G = (V,E) is then always 2, but the outdegree 2. For each input i I, we represent the input bit value ∈ may be arbitrary. We will refer to the directed edges of b similarly, by x ω0 ,ω1 . i i ∈ { i i} this graph as wires. We note that, for a Boolean circuit, An input i I has a wire (Λ,i) on which the (en- ∈ the inputs to each gate are bits, as are the outputs. We crypted) input value xi is stored. For any wire e =(i,v) will denote the set of inputs to the circuit by I V , from input i, we have a linear function L(x)= a + bx, ⊆ and the set of outputs from the circuit by O V . In which converts the plaintext input value x α0,α1 ⊆ ∈ { } G, the inputs have indegree 0, and the outputs have to the wire value w γ0,γ1 . It is easy to check that ∈ { } outdegree 0, but we will regard the inputs as having in- this requires degree 1, and the outputs as having outdegree 1, with a =(α α )−1(α γ α γ ), wires from and to the external environment Λ. 1 0 1 0 0 1 − −1 − b =(α1 α0) (γ1 γ0). Note that, if we represent the bit values 0, 1 with − − known constants α0,α1, the system is open to attack, The encrypted coefficients of this function are stored even though the inputs are encrypted with HEk. For as data for the wire e (see Fig. 1). Note that all com- any ciphertext c, we can take putations are mod pq, and the required inverses exist 1 because the numbers involved are less than q. ′ c α01, with probability 2 , ′ c = − 1 For each output wire e =(v,v ) of a NAND gate v,  c α11, with probability . − 2 we have a quadratic function Q(x,y) = a + bx + cy + ′ 1 dxy, which converts the values on the input wires of Then c is an encryption of 0 with probability 2 . If we multiply ν of these ciphertexts, the probability that the gate, x α0,α1 , y β0,β1 , to the wire value ∈ { } ∈ { } none of them is an encryption of zero is 2−ν , so we w γ0,γ1 . It is easy to check that this requires ∈ { } obtain an encryption of zero with probability 1 2−ν . − a = γ0 + α1β1ϑ, b = β1ϑ, c = α1ϑ, d = ϑ, So, with ν repetitions of this process, if ν = 2 lg k, this is − − −1 1 1/k. By repeating the whole process Ω(k) times, we where ϑ = (α1 α0)(β1 β0) (γ1 γ0). Again, the − − − − can obtain k encryptions of zero with high probability. encrypted coefficients of this function are stored as data Once we have done this, we can use the gcd method for the wire e (see Fig. 2). of 5.1.9 to determine p. For each output NAND gate v O, we decrypt the ∈ Therefore, we encrypt both the inputs to the circuit, value w γ0,γ1 computed by its (unique) output ∈ { } and the values on the wires, using HEk. On each wire wire (v,Λ). Then the output bit is w mod 2. e E, we will represent the bit value b 0, 1 by Thus we have replaced the logical operations of the ∈ e ∈ { } w ω0 ,ω1 , where ω0 ,ω1 [0,q) are random Boolean circuit by evaluation of low degree polynomi- e ∈ { e e} e e ∈ even and odd integers respectively. Thus be = we mod als. For simplicity, we have chosen to use only NAND 24 James Dyer et al. gates, but we can represent any binary Boolean function so that each mapper receives an equal number of lines by a quadratic polynomial in the way described above. of input, ensuring maximum parallelisation. Finally, on Since the quadratic polynomials are encrypted in our the secure client side, the MR output is decrypted. system, they conceal the binary Boolean function they Our test environment consisted of a single secure represent. Thus the circuit can be “garbled” [8,45], to client (an Ubuntu Linux VM with 16GB RAM) and a minimise inference about the inputs and outputs of the Hadoop 2.7.3 cluster running in a heterogeneous Open- circuit from its structure. Nebula cloud. The Hadoop cluster consisted of 17 Linux However, there is a price to be paid for controlling VMs, one master and 16 slaves, each allocated 2GB of the noise. The encrypted circuit is not securely reusable RAM. Each experimental configuration of algorithm, with the same values ω0e,ω1e for we. Suppose we can polynomial degree (d), integer size (ρ), and effective observe the encrypted value on wire e three times giving entropy of inputs after adding “noise” (ρ′, for the ‘N’ cyphertexts c1, c2, c3. Two of these are encryptions of variant algorithms only), was executed 10 times. The the same value 2s0 or 1 + 2s1 . Thus (c1 c2) (c1 means are tabulated in Table 1. ,e ,e − · − c3) (c2 c3) is an encryption of 0. By doing this for k There are some small anomalies in our data. JS- · − wires, we can break the system. This is essentially the cience implements arbitrary precision integers as an ar- collision attack described in section 3. ray of Java long (64-bit) integers. This underlying rep- Some reuse of the encrypted circuit is possible by resentation may be optimal in some of our test config- using multiple values on the wires, and higher degree urations and suboptimal in others, causing anomalous polynomials for the gates. However, we will not con- results. Another possibility is that the unexpected res- sider this refinement, since the idea seems to have little ults are due to garbage collection in the JVM heap, practical interest. which may be more prevalent in certain test configura- As we discuss in section 5.1, the security of HEk tions. is exponential in k, So by setting k large enough we We may compare these results with those repor- make brute force attacks on the system infeasible. (A ted in the literature. Our results compare extremely brute force attack succeeds in polynomial time only if favourably with Table 2 of [57]. For encryption, our k = O(log log p).) Therefore, if we compute encrypted results are, in the best case, 1000 times faster than Boolean circuits, our system is fully homomorphic. those presented there, and, in the worst case, 10 times faster. For decryption, our results are comparable. How- ever, it should be noted that to decrypt our results we 8 Experimental Results take the moduli for large primes rather than 2 as in [57], which is obviously less efficient. For homomorphic HE1, HE1N, HE2, and HE2N have been implemented in sums and products, our algorithms perform approxim- pure unoptimised Java using the JScience mathematics ately 100 times faster. [57] only provides experimental library [34]. Secure pseudo-random numbers are gener- data for computing degree 2 polynomials. We provide ated using the ISAAC algorithm [52], seeded using the experimental results for higher degree polynomials. Linux /dev/random source. This prevents the weakness in Similarly, compared with Fig. 13 of Popa et al. [65], ISAAC shown by Aumasson [5]. our encryption times for a 32-bit integer are consider- The evaluation experiment generated 24,000 encryp- ably faster. While a time for computing a homomorphic ted inputs and evaluated a polynomial homomorphic- sum on a column is given in Fig. 12, it is unclear how ally on the inputs, using a Hadoop MapReduce (MR) many rows exist in their test database. Nevertheless, algorithm. On the secure client side, the MR input is our results for computing homomorphic sums compare generated as pseudo-random ρ-bit integers which are favourably with those given. Since CryptDB [65] only encrypted and written to a file with d inputs per line, supports homomorphic sums and cannot compute an where d is the degree of the polynomial to be computed. inner product, we can only compare the homomorphic The security parameters λ and η were selected to be the sum timings. minimum values required to satisfy the conditions give Table 1 of [76] is unclear whether the timings are in sections 3.1, 3.2, 4.1, and 4.2. In addition, the unen- aggregate or per operation. Even assuming that they crypted result of the computation is computed so that it are aggregate, our results are approximately 100 times may checked against the decrypted result of the homo- faster for homomorphic sum and product operations. morphic computation. On the Hadoop cluster side, each Crypsis [76] uses two different encryption schemes for mapper processes a line of input by homomorphically integers, ElGamal [40] and Paillier [63], which only sup- multiplying together each input on a line and outputs port addition or multiplication but not both. No discus- this product. A single reducer homomorphically sums sion of computation of an inner product is made in [76] the products. The MR algorithm divides the input file Practical Homomorphic Encryption Over the Integers for SecureComputationintheCloud 25

Table 1 Timings for each experimental configuration (n = 24000 in all cases, λ > 96). Init is the initialisation time for the encryption algorithm, Enc is the mean time to encrypt a single integer, Exec is the total MR job execution time, Prod is the mean time to homomorphically compute the product of two encrypted integers, Sum is the mean time to homomorphically compute the sum of two encrypted integers.

Alg. Parameters Encryption MRJob Decrypt d ρ ρ′ Init(s) Enc(µs) Exec(s) Prod(µs) Sum(µs) (ms) HE1 2 32 n/a 0.12 13.52 23.82 54.41 9.06 0.21 HE1 2 64 n/a 0.12 16.24 23.85 60.38 8.04 0.49 HE1 2 128 n/a 0.15 25.73 23.77 84.69 8.43 0.28 HE1 3 32 n/a 0.17 22.98 23.65 87.75 11.46 0.35 HE1 3 64 n/a 0.19 34.63 24.72 95.68 12.37 0.45 HE1 3 128 n/a 0.42 54.83 26.05 196.71 14.07 0.55 HE1 4 32 n/a 0.28 43.36 24.48 108.72 13.75 0.5 HE1 4 64 n/a 0.53 58.85 26.41 227.44 15.85 3.59 HE1 4 128 n/a 1.36 104.95 28.33 484.95 16.92 5.67 HE1N 2 1 32 0.22 32.99 22.94 88.38 8.53 3.35 HE1N 2 1 64 0.39 52.63 26.24 168.54 12.39 3.56 HE1N 2 1 128 1.2 89.01 26.18 226.2 13.16 8.1 HE1N 2 8 32 0.6 57.88 25.9 177.36 11.17 7.18 HE1N 2 8 64 0.32 43.93 26.53 96.78 12.18 2.27 HE1N 2 8 128 1.13 78.11 24.42 212.75 11.07 8.4 HE1N 2 16 64 0.33 53.97 27.15 168 13.67 4.47 HE1N 2 16 128 0.63 68.73 25.22 194.42 11.01 7.65 HE1N 3 1 32 8.54 183.19 24.24 522.07 12.06 9.09 HE1N 3 1 64 3.67 125 29.49 467.36 18.22 11.43 HE1N 3 1 128 27.84 313.76 26.94 1235.77 15.04 11.75 HE1N 3 8 32 115 462.45 32.61 1556.17 21.11 19.79 HE1N 3 8 64 9.75 180.08 25.87 500.62 15.03 10.39 HE1N 3 8 128 36.05 259.15 30.1 836.27 20.68 11.45 HE1N 3 16 64 30.96 378.99 28.24 1338.33 15.51 13.3 HE1N 3 16 128 8.13 226.32 27.92 621.95 18.01 10.89 HE2 2 32 n/a 0.16 85.79 26.82 305.52 11.68 4.83 HE2 2 64 n/a 0.17 95.92 29.71 354.79 16.9 3.26 HE2 2 128 n/a 0.22 132.53 32.84 540.78 22.83 4.92 HE2 3 32 n/a 0.23 130.3 31.18 513.93 23.77 6.52 HE2 3 64 n/a 0.29 145.62 32.84 615.9 24.61 6.3 HE2 3 128 n/a 0.52 249.47 29.54 1443.82 16.56 18.34 HE2 4 32 n/a 0.39 175.63 29.5 733.23 20.69 6.01 HE2 4 64 n/a 0.7 255.3 29.55 1578.39 18.29 16.24 HE2 4 128 n/a 2.7 465.51 37.47 2943.91 22.15 15.41 HE2N 2 1 32 0.27 147.83 29.74 571.94 16.58 5.66 HE2N 2 1 64 0.43 202.74 33.36 1291.68 18.3 13.23 HE2N 2 1 128 1.58 354.19 33.76 1977.51 17.13 12.46 HE2N 2 8 32 0.59 234.83 31.42 1413.31 15.21 14.92 HE2N 2 8 64 0.33 163.78 27.42 635.64 13.6 6.18 HE2N 2 8 128 0.9 307.68 36.32 1850.83 21.71 15.79 HE2N 2 16 64 0.42 208.1 29.96 1230.56 13.41 13.16 HE2N 2 16 128 0.73 274.48 30.82 1585.1 14.85 15.04 HE2N 3 1 32 5.72 651.1 36.49 3438.96 18.67 19.05 HE2N 3 1 64 4.45 477.52 35.33 3073.46 18.75 19.77 HE2N 3 1 128 26.83 1192.79 43.23 6416.43 22.48 25.12 HE2N 3 8 32 87.38 1658.36 49.63 8139.19 23.71 27.24 HE2N 3 8 64 5.21 607.75 36.54 3337.1 22.28 17.39 HE2N 3 8 128 17.14 945.64 40.49 4620.69 25.91 22.41 HE2N 3 16 64 39.19 1368.18 44.88 7005.7 24.1 28.3 HE2N 3 16 128 11.39 774.07 36.05 3845.1 20.29 20.74

but we expect that the timings would be considerably timings given are in seconds, so we believe that HELib worse as data encrypted using ElGamal to compute the will not be a serious candidate for SSCC in the imme- products would have to be shipped back to the secure diate future. client to be re-encrypted using Paillier so that the final As reported in [37], the current computational per- inner product could be computed. formance of FHEW [38] is poor compared with un- Varia et al. [79] present experimental results of ap- encrypted operations. The authors report that FHEW plying their HETest framework to HELib [48]. Varia processed a single homomorphic NAND operation fol- et al. show timings 104 to 106 times slower than that lowed by a re-encryption in 0.69s and using 2.2GB of of computations on unencrypted data. Although it is RAM. Therefore, we also believe that FHEW is not a unclear exactly which circuits are being computed, the candidate for SCCC, as it currently stands. 26 James Dyer et al.

Although claims regarding its performance have ap- result. In addition, as a result of the larger number of peared in the press [78], no benchmarking statistics inputs, we employed a tighter upper bound (nM d/d) on have been made publicly available for Microsoft’s SEAL the values of p and κ required to successfully decrypt library [56]. However, in [3], it is reported that, for the HE1/HE2 and HE1N/HE2N variants respectively. SEAL v1, the time to perform one multiplication is ap- The results for each experimental configuration are proximately 140ms. presented in Table 2. Comparing it with Table 1, shows With regard to FV-NFLib [33], Bonte et al. [15] re- only an increase of approximately 300% in average en- cently reported a significant decrease in the time to cryption and product calculation times for our most evaluate a four layer Group Method of Data Handling complex algorithm (HE2N), despite the 4,428-fold in- (GMDH) neural network [16] from 32s to 2.5s, as a res- crease in the number of inputs. The fact that these ult of their novel encoding of the inputs. times did not scale linearly with the number of inputs Aguilar-Melchor et al [3] report experimental find- may largely be attributed to the increased memory per ings regarding HELib-MP [69]. They show that HELib- worker node (28GB versus 2GB) and the tighter bounds MP outperforms FV-NFLib for large (2048-bit) plain- on p and κ. However, we also note that the bit size of texts. They further go on to benchmark HELib-MP the arbitrary precision integers involved will scale log- by computing RSA-2048 and ECC-ElGamal-P256. An arithmically in the number of inputs as a result of the in RSA-2048 takes between 157ms and tighter bound. Hence, the timings for arithmetic oper- 1.8s depending on the window size and number of multi- ations on those integers will also scale logarithmically. plications required. For ECC-ElGamal-P256, an elliptic curve multiplication takes between 96ms and 242ms de- 9 Conclusion pending on window size and number of elliptic curve additions. In this paper we have presented several new homo- Catalano et al. [22] provide experimental results for morphic encryption schemes intended for use in secure their work. For 128-bit plaintexts, our algorithms are single-party computation in the cloud (SSCC). We en- approximately 10 to 1000 times faster at performing visage that the majority of computation on integer big a multiplication operation and our most complex al- data, outside of scientific computing, will be comput- gorithm, HE2N, is roughly equal to their fastest, an ing low degree polynomials on integers, or fixed-point extension of Joye-Libert [53], for additions. decimals which can be converted to integers. Our some- Yu et al. [84] give experimental results for their what homomorphic schemes are perfectly suited to these implementation of the Zhou and Wornell scheme [85]. types of computation. From their Figures 3 to 5, it is hard to compare our Our evaluations have concerned only one- or two- scheme with theirs directly but it would appear that dimensional ciphertexts and polynomials of degree up our vector based schemes are at least comparable in to four. We intend to investigate higher degree polyno- performance to theirs. mials in future work. We believe that HE1N and HE2N provide strong security, even for low-entropy data, as they satisfy the desirable IND-CPA property. If a user 8.1 Microsoft Azure Cloud has a high confidence in the entropy of the input data, HE2 may provide sufficient security. In addition to performing our experiments in a small As they are only somewhat homomorphic, each of private cloud, we also scaled our experiment to a large these schemes require that the computational result cluster in Microsoft’s Azure public cloud 4. Our exper- cannot grow bigger than the secret modulus. In the imental environment consisted of a HDInsight cluster case of the “noise” variants, we also have to consider comprising two D13v2 head nodes and 123 D4v2 worker the noise term growing large. So, as they stand, these nodes (984 worker cores). schemes can only compute polynomials of a suitably The number of inputs was increased to 106,272,000 bounded degree. However, we believe this is adequate for each experimental configuration. As a result of the for most practical purposes. large volume of input data, our experiments were altered A further concern is that the ciphertext space is to create and encrypt the data in situ. This encrypted much larger than the plaintext space. This is as a res- data is then consumed by our experimental program. ult of adding multiples of large primes to the plain- As before, the output from out experiment was down- text. However, we have shown that values exist which loaded to a secure client and decrypted to verify the makes the system practical for computing low degree 4 This work was aided by a Microsoft Azure for Research polynomials. Similar schemes [31,35] produce cipher- sponsorship.[60] texts infeasibly larger than the corresponding plaintext, Practical Homomorphic Encryption Over the Integers for SecureComputationintheCloud 27

Table 2 Timings for each experimental configuration (n = 106272000 in all cases, λ > 96). Init is the initialisation time for the encryption algorithm, Enc is the mean time to encrypt a single integer, Exec is the total MR job execution time, Prod is the mean time to homomorphically compute the product of two encrypted integers, Sum is the mean time to homomorphically compute the sum of two encrypted integers.

Alg. Parameters Encryption MRJob Decrypt d ρ ρ′ Init(ms) Enc(µs) Exec(s) Prod(µs) Sum(µs) (ms) HE1 2 32 - 85.53 32.28 28.29 11.47 2.73 245 HE1 2 64 - 94.9 39.92 27.81 11.45 2.51 647 HE1 2 128 - 108.41 54.96 32.37 29.65 2.42 315 HE1 3 32 - 103.05 47.72 28.39 17.19 2.55 380 HE1 3 64 - 133.23 65.26 35.3 41.01 2.62 347 HE1 3 128 - 146.93 105.08 66.31 283.02 1.76 555 HE1 4 32 - 110.88 62.83 34.23 41.86 2.54 561 HE1 4 64 - 157.18 101.26 70.7 298.73 1.96 601 HE1 4 128 - 2244.7 201.59 86.06 398.64 2.77 27720 HE1N 2 1 32 120.36 81.56 33.04 31.19 2.46 4757 HE1N 2 1 64 254.62 113.8 60.43 226.07 1.71 6093 HE1N 2 1 128 543.44 214.76 68.83 289.12 2.25 34792 HE1N 2 8 32 220.88 121.43 62.32 234.7 2.01 5854 HE1N 2 8 64 197.35 96.82 35.99 40.38 2.2 5371 HE1N 2 8 128 558.05 190.3 71.05 287.43 2.25 35071 HE1N 2 16 64 159.33 112.72 35.5 42.87 2.59 5697 HE1N 2 16 128 433.71 171.56 64.5 261.45 2.23 33943 HE1N 3 1 32 617.06 130.88 68.5 300.76 1.91 32622 HE1N 3 1 64 1656.53 265 284 1520.65 3.08 41454 HE1N 3 1 128 43002.78 709.31 626.21 3671.64 4.89 34996 HE1N 3 8 32 16850.53 402.77 307.76 1659.24 3.25 33540 HE1N 3 8 64 2807.49 197.57 75.14 352.67 2.31 33591 HE1N 3 8 128 3701.99 585.24 340.2 1834.74 4.59 37663 HE1N 3 16 64 18828.28 415.87 309.18 1696.96 3.36 35064 HE1N 3 16 128 4672.69 474.73 315.1 1708.43 3.41 38737 HE2 2 32 - 122.25 525.64 103.38 75.11 1.86 784 HE2 2 64 - 116.27 549.24 118.68 84.28 1.91 1308 HE2 2 128 - 131.78 624.37 120.37 168.72 2.12 1482 HE2 3 32 - 152.55 560.01 103.56 111.55 2.14 960 HE2 3 64 - 180.11 650.07 122.14 211.68 2.24 1650 HE2 3 128 - 214.22 1462.87 452.92 2423.63 2.81 2399 HE2 4 32 - 160.11 658.37 130.34 219.3 2.43 1687 HE2 4 64 - 257.11 1446.8 448.06 2432.22 2.87 2610 HE2 4 128 - 1102.95 1921.06 601.83 3147.91 3.84 4200 HE2N 2 1 32 154.46 677.64 121.81 197.3 2.32 1149 HE2N 2 1 64 360.2 1464.05 422.87 2256.1 2.54 2889 HE2N 2 1 128 869.88 1992.68 511.34 2896.89 3.43 3257 HE2N 2 8 32 384.53 1472.49 433.05 2275.24 2.71 2515 HE2N 2 8 64 196.91 713.34 140.85 290.54 2.33 1154 HE2N 2 8 128 363.02 1803.51 503.41 2789.1 3.54 2740 HE2N 2 16 64 411.43 764.95 146.27 336.36 2.5 1833 HE2N 2 16 128 228.27 1660.48 466.07 2528.7 2.87 2565 HE2N 3 1 32 331.43 1553.09 446.9 2450.82 2.86 5360 HE2N 3 1 64 1197.62 5841.29 3120.64 16400 4.99 8129 HE2N 3 1 128 2805.34 12600 7193.61 40300 8.25 12565 HE2N 3 8 32 2658.76 5828.94 3317.31 17900 5.36 8676 HE2N 3 8 64 1047.95 1852.06 537.16 2996.51 3.59 3753 HE2N 3 8 128 7375.87 7292.07 4344.95 19500 7.31 11014 HE2N 3 16 64 850.94 6375.15 3359.67 18300 5.27 10942 HE2N 3 16 128 7057.17 6986.84 3358.11 17900 5.45 6026

which is a single bit. For example, it should be noted, data for off-line cryptanalysis, only high security suf- that even the practical CryptDB [65], which is only ad- fices. ditively homomorphic, enciphers a 32-bit integer as a The schemes presented in sections 3 and 4 extend 2048-bit ciphertext. Our schemes will produce cipher- to a hierarchy of systems, HEk, with increasing levels text of similar size, if high security is required. However, of security. These are presented in section 5 and may if the security is only intended to prevent casual snoop- be investigated further in future work. As stated in sec- ing, rather than a determined cryptographic attack, the tion 6, we can extend HE2NCRT to k-vectors to create ciphertext size can be reduced. Observe that the para- a HEkNCRT scheme. The discussion will appear in fu- meters of the system will change for each computation, ture work. We also showed that our HEk system can so a sustained attack has constantly to re-learn these be extended to an FHE system. We may also investig- parameters. Of course, if the attacker is able to export ate several enhancements of this FHE system. First, we 28 James Dyer et al. could implement a packed ciphertext optimisation for ings of 2014 International Conference on Cloud Com- our scheme where an operation is performed on a vec- puting and Internet of Things (CCIOT 2014), pp. 14–17 tor of ciphertexts rather than a single ciphertext [75]. (2014). DOI 10.1109/CCIOT.2014.7062497 3. Aguilar-Melchor, C., Killijian, M.O., Lefebvre, C., We can also investigate an improvement to address cir- Lepoint, T., Ricosset, T.: A Comparison of Open- cuit privacy [19]. Finally, we can investigate applying Source Homomorphic Libraries With Multi-Precision the Chinese Remainder Theorem secret sharing method Plaintext Moduli (2016). URL https://wheat2016.lip6. employed in HE2NCRT (section 6) to our fully homo- fr/ricosset.pdf. WHEAT 2016 4. Amazon Web Services, Inc.: Amazon EMR (2018). URL morphic scheme (section 7). http://aws.amazon.com/elasticmapreduce/ We have implemented and evaluated the schemes 5. Aumasson, J.P.: On the pseudo-random generator HE1, HE1N, HE2 and HE2N as part of an SSCC system ISAAC. Cryptology ePrint Archive, Report 2006/438 as discussed in section 8. Our results are extremely fa- (2006). https://eprint.iacr.org/2006/438 6. Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A Con- vourable by comparison with existing methods. In some crete Security Treatment of Symmetric Encryption. In: cases, they outperform those methods by a factor of Proceedings of the 38th Annual Symposium on Found- 1000. We have also performed extensive experiments ations of Computer Science (FOCS 1997), pp. 394–403. with large data sets (approximately 100 million inputs) IEEE (1997). DOI 10.1109/SFCS.1997.646128 7. Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Re- and shown that the increase in time to perform en- lations Among Notions of Security for Public-Key En- cryption and arithmetic operations grows sublinearly cryption Schemes. In: Proceedings of the 18th An- in the number of inputs. This clearly demonstrates the nual Cryptology Conference (CRYPTO 1998), pp. 26–45. practical applicability of our schemes. Furthermore, our Springer-Verlag (1998). DOI 10.1007/BFb0055718 MapReduce job execution times remain low even when 8. Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of Garbled Circuits. In: Proceedings of the 2012 ACM using the largest set of parameters for HE2N. We be- Conference on Computer and Communications Security lieve that this demonstrates the advantages of these (CCS 2012), pp. 784–796. ACM (2012). DOI 10.1145/ schemes for encrypted computations on fixed-point data 2382196.2382279 in the cloud. 9. Bellare, M., Rogaway, P.: Introduction to Modern Cryp- tography (2005). Lecture Notes To conclude, we believe that the work in this paper, 10. Berlekamp, E.R.: Factoring Polynomials Over Large Fi- has achieved our goal of providing a homomorphic en- nite Fields. Mathematics of Computation 24(111), 713– cryption scheme over the integers suitable for SSCC. 735 (1970) In particular, our work significantly outperforms re- 11. Bernstein, D.J.: Post-Quantum Cryptography, chap. Introduction to post-quantum crypto- lated work [65,76,77] with regard to the running time graphy, pp. 1–14. Springer-Verlag (2009). DOI of arithmetic operations on encrypted data. 10.1007/978-3-540-88702-7 1 12. Bogos, S., Gaspoz, J., Vaudenay, S.: Cryptanalysis of a Homomorphic Encryption Scheme. Cryptology ePrint Acknowledgements This work was supported in part by En- Archive, Report 2016/775 (2016). https://eprint.iacr. gineering and Physical Sciences Research Council (EPSRC) org/2016/775 research grants EP/I028099/1 and EP/M004953/1 and Na- 13. Bogos, S., Gaspoz, J., Vaudenay, S.: Cryptanalysis of tional Key Research and Development Program of China re- a homomorphic encryption scheme. Cryptography and search grant 2016YFB1000103. Experimentation conducted Communications 10(1), 27–39 (2018). DOI 10.1007/ on Microsoft Azure was supported by a Microsoft Azure for s12095-017-0243-8 Research sponsorship. 14. Boneh, D., Shoup, V.: A Graduate Course in Applied Compliance with Ethical Standards Cryptography (2015). Draft 0.2 Funding: This study was funded by Engineering and Physical 15. Bonte, C., Bootland, C., Bos, J.W., Castryck, W., Sciences Research Council (EP/I028099/1 & EP/M004953/1) Iliashenko, I., Vercauteren, F.: Faster Homomorphic and National Key Research and Development Program of Function Evaluation using Non-Integral Base Encod- China (2016YFB1000103). Usage of Microsoft’s Azure cloud ing. Cryptology ePrint Archive, Report 2017/333 (2017). was funded by a Microsoft Azure for Research sponsorship. https://eprint.iacr.org/2017/333 Ethical approval: This article does not contain any studies 16. Bos, J.W., Castryck, W., Iliashenko, I., Vercauteren, F.: with human participants or animals performed by any of the Privacy-friendly Forecasting for the Smart Grid using Ho- authors. momorphic Encryption and the Group Method of Data Handling. Cryptology ePrint Archive, Report 2016/1117 (2016). https://eprint.iacr.org/2016/1117 17. Brakerski, Z.: Fully Homomorphic Encryption without References Modulus Switching from Classical GapSVP. In: R. Safavi-Naini, R. Canetti (eds.) Proceedings of the 1. Acar, A., Aksu, H., Uluagac, A.S., Conti, M.: A Sur- 32nd Annual Cryptology Conference (CRYPTO 2012), vey on Homomorphic Encryption Schemes: Theory and pp. 868–886. Springer-Verlag (2012). DOI 10.1007/ Implementation. ACM Computing Surveys 51(4), 79:1– 978-3-642-32009-5 50 79:35 (2018). DOI 10.1145/3214303 18. Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) 2. Aggarwal, N., Gupta, C., Sharma, I.: Fully Homomorphic Fully Homomorphic Encryption Without Bootstrapping. Symmetric Scheme Without Bootstrapping. In: Proceed- In: Proceedings of the 3rd Conference on Innovations in Practical Homomorphic Encryption Over the Integers for SecureComputationintheCloud 29

Theoretical Computer Science (ITCS 2012), pp. 309–325. H. Krawczyk (ed.) Proceedings of the 17th Interna- ACM (2012). DOI 10.1145/2090236.2090262 tional Conference on Practice and Theory in Public-Key 19. Brakerski, Z., Vaikuntanathan, V.: Efficient Fully Homo- Cryptography (PKC 2014), pp. 311–328. Springer-Verlag morphic Encryption from (Standard) LWE. In: Proceed- (2014). DOI 10.1007/978-3-642-54631-0 18 ings of the 52nd Annual IEEE Symposium on Found- 31. Coron, J., Mandal, A., Naccache, D., Tibouchi, M.: ations of Computer Science (FOCS 2011), pp. 97–106. Fully Homomorphic Encryption over the Integers with IEEE (2011). DOI 10.1109/FOCS.2011.12 Shorter Public Keys. In: P. Rogaway (ed.) Proceedings 20. Brakerski, Z., Vaikuntanathan, V.: Fully Homomorphic of the 31st Annual Cryptology Conference (CRYPTO Encryption from Ring-LWE and Security for Key De- 2011), pp. 487–504. Springer-Verlag (2011). DOI 10. pendent Messages. In: P. Rogaway (ed.) Proceedings 1007/978-3-642-22792-9 28 of the 31st Annual Cryptology Conference (CRYPTO 32. Coron, J., Naccache, D., Tibouchi, M.: Public Key 2011), pp. 505–524. Springer-Verlag (2011). DOI 10. Compression and Modulus Switching for Fully Homo- 1007/978-3-642-22792-9 29 morphic Encryption over the Integers. In: D. Pointche- 21. Catalano, D., Fiore, D.: Boosting Linearly-Homomorphic val, T. Johansson (eds.) Proceedings of the 31st An- Encryption to Evaluate Degree-2 Functions on Encryp- nual International Conference on the Theory and Ap- ted Data. Cryptology ePrint Archive, Report 2014/813 plications of Cryptographic Techniques (EUROCRYPT (2014). https://eprint.iacr.org/2014/813 2012), pp. 446–464. Springer-Verlag (2012). DOI 10. 22. Catalano, D., Fiore, D.: Using Linearly-Homomorphic 1007/978-3-642-29011-4 27 Encryption to Evaluate Degree-2 Functions on Encryp- 33. CryptoExperts: FV-NFLib. URL https://github.com/ ted Data. In: Proceedings of the 22nd ACM SIGSAC CryptoExperts/FV-NFLlib Conference on Computer and Communications Secur- 34. Dautelle, J.M.: JScience (2014). URL http://jscience. ity (CCS 2015), pp. 1518–1529. ACM (2015). DOI org 10.1145/2810103.2813624 35. van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, 23. Chen, L., Ben, H., Huang, J.: An Encryption Depth Op- V.: Fully Homomorphic Encryption over the Integers. In: timization Scheme for Fully Homomorphic Encryption. Proceedings of the 29th Annual International Conference In: Proceedings of the 2014 International Conference on on Theory and Applications of Cryptographic Techniques Identification, Information and Knowledge in the Inter- (EUROCRYPT 2010), pp. 24–43. Springer-Verlag (2010). net of Things (IIKI 2014), pp. 137–141. IEEE (2014). DOI 10.1007/978-3-642-13190-5 2 DOI 10.1109/IIKI.2014.35 36. van Dijk, M., Juels, A.: On the Impossibility of Crypto- 24. Chen, Y., Nguyen, P.Q.: Faster Algorithms for Approx- graphy Alone for Privacy-Preserving Cloud Computing. imate Common : Breaking Fully-Homomorphic- In: Proceedings of the 5th USENIX Workshop on Hot Encryption Challenges over the Integers. In: D. Pointche- Topics in Security (HotSec 2010), pp. 1–8. USENIX As- val, T. Johansson (eds.) Proceedings of the 31st An- sociation (2010). URL https://www.usenix.org/legacy/ nual International Conference on the Theory and Ap- events/hotsec10/tech/full_papers/vanDijk.pdf plications of Cryptographic Techniques (EUROCRYPT 37. Ducas, L., Micciancio, D.: FHEW: Bootstrapping Homo- 2012), pp. 502–519. Springer-Verlag (2012). DOI 10. morphic Encryption in Less Than a Second. In: E. Os- 1007/978-3-642-29011-4 30 wald, M. Fischlin (eds.) Proceedings of the 34th An- 25. Cheon, J.H., Coron, J., Kim, J., Lee, M.S., Lepoint, T., nual International Conference on the Theory and Ap- Tibouchi, M., Yun, A.: Batch Fully Homomorphic En- plications of Cryptographic Techniques (EUROCRYPT cryption over the Integers. In: T. Johansson, P.Q. Nguyen 2015), Part I, pp. 617–640. Springer-Verlag (2015). DOI (eds.) Proceedings of the 32nd Annual International Con- 10.1007/978-3-662-46800-5 24 ference on the Theory and Applications of Cryptographic 38. Ducas, L., Micciancio, D.: FHEW (2017). URL https: Techniques (EUROCRYPT 2013), pp. 315–335. Springer- //github.com/lducas/FHEW Verlag (2013). DOI 10.1007/978-3-642-38348-9 20 39. Dyer, J., Dyer, M., Xu, J.: Practical Homomorphic En- 26. Cheon, J.H., Kim, J., Lee, M.S., Yun, A.: CRT-Based cryption Over the Integers for Secure Computation in Fully Homomorphic Encryption Over the Integers. In- the Cloud. In: M. O’Neill (ed.) Proceedings of the formation Sciences 310, 149–162 (2015). DOI 10.1016/j. 16th IMA International Conference on Cryptography and ins.2015.03.019 Coding (IMACC 2017), Lecture Notes in Computer Sci- 27. Cheon, J.H., Stehl´e, D.: Fully Homomophic Encryption ence, vol. 10655, pp. 44–76. Springer-Verlag (2017). DOI over the Integers Revisited. In: E. Oswald, M. Fisc- 10.1007/978-3-319-71045-7 3 hlin (eds.) Proceedings of the 34th Annual Interna- 40. ElGamal, T.: A Public Key Cryptosystem and a Signa- tional Conference on the Theory and Applications of ture Scheme Based on Discrete Logarithms. IEEE Trans- Cryptographic Techniques (EUROCRYPT 2015), Part actions on Information Theory 31(4), 469–472 (1985). I, pp. 513–536. Springer-Verlag (2015). DOI 10.1007/ DOI 10.1109/TIT.1985.1057074 978-3-662-46800-5 20 41. Erkin, Z., Franz, M., Guajardo, J., Katzenbeisser, S., La- 28. Cohn, H., Heninger, N.: Approximate common divisors gendijk, I., Toft, T.: Privacy-Preserving Face Recogni- via lattices. In: Proceedings of the 10th Algorithmic tion. In: I. Goldberg, M.J. Atallah (eds.) Proceedings of Symposium (ANTS-X), vol. 1, pp. 271– the 9th International Symposium on Privacy Enhancing 293. Mathematical Sciences Publishers (2012). DOI Technologies (PETS 2009), pp. 235–253. Springer-Verlag 10.2140/obs.2013.1.271 (2009). DOI 10.1007/978-3-642-03168-7 14 29. Coppersmith, D.: Small solutions to polynomial equa- 42. Fan, J., Vercauteren, F.: Somewhat Practical Fully Ho- tions, and low exponent RSA vulnerabilities. Journal momorphic Encryption. Cryptology ePrint Archive, Re- of Cryptology 10(4), 233–260 (1997). DOI 10.1007/ port 2012/144 (2012). https://eprint.iacr.org/2012/ s001459900030 144 30. Coron, J., Lepoint, T., Tibouchi, M.: Scale-Invariant 43. Galbraith, S.D., Gebregiyorgis, S.W., Murphy, S.: Al- Fully Homomorphic Encryption over the Integers. In: gorithms for the approximate common divisor problem. 30 James Dyer et al.

LMS Journal of Computation and Mathematics 19(A), 58. Massey, J.L.: Guessing and Entropy. In: Proceedings 58–72 (2016). DOI 10.1112/S1461157016000218 of 1994 IEEE International Symposium on Informa- 44. Gentry, C.: Fully Homomorphic Encryption Using Ideal tion Theory (ISIT 1994), p. 204. IEEE (1994). DOI Lattices. In: Proceedings of the 41st Annual ACM Sym- 10.1109/ISIT.1994.394764 posium on Theory of Computing (STOC 2009), pp. 169– 59. Microsoft: HDInsight (2018). URL http://azure. 178. ACM (2009). DOI 10.1145/1536414.1536440 microsoft.com/en-gb/services/hdinsight/ 45. Goldreich, O., Micali, S., Wigderson, A.: How to Play 60. Microsoft: Microsoft Azure for Research (2018). ANY Mental Game. In: Proceedings of the 19th An- URL https://www.microsoft.com/en-us/research/ nual ACM Symposium on Theory of Computing (STOC academic-program/microsoft-azure-for-research/ 1987), pp. 218–229. ACM (1987). DOI 10.1145/28395. 61. Moshkovitz, D.: An Alternative Proof of the Schwartz- 28420 Zippel Lemma. In: Electronic Colloquium on Computa- 46. Goldwasser, S., Kalai, Y., Popa, R.A., Vaikuntanathan, tional Complexity (ECCC), p. 96 (2010) V., Zeldovich, N.: Reusable Garbled Circuits and Suc- 62. Nuida, K., Kurosawa, K.: (Batch) Fully Homomorphic cinct Functional Encryption. In: Proceedings of the Encryption over Integers for Non-Binary Message Spaces. 45th Annual ACM Symposium on Theory of Comput- Cryptology ePrint Archive, Report 2014/777 (2014). ing (STOC 2013), pp. 555–564. ACM (2013). DOI https://eprint.iacr.org/2014/777 10.1145/2488608.2488678 63. Paillier, P.: Public-Key Cryptosystems Based on Com- 47. Goldwasser, S., Micali, S.: Probabilistic Encryption. posite Degree Residuosity Classes. In: J. Stern (ed.) Journal of Computer and System Sciences 28(2), 270 – Proceedings of the 18th International Conference on 299 (1984). DOI 10.1016/0022-0000(84)90070-9 the Theory and Application of Cryptographic Tech- 48. Halevi, S., Shoup, V.: HELib. URL https://github.com/ niques (EUROCRYPT 1999), pp. 223–238. Springer- shaih/HElib Verlag (1999). DOI 10.1007/3-540-48910-X 16 49. Halevi, S., Shoup, V.: Bootstrapping for HELib. In: 64. Pisa, P.S., Abdalla, M., Duarte, O.C.M.B.: Somewhat ho- E. Oswald, M. Fischlin (eds.) Proceedings of the 34th momorphic encryption scheme for arithmetic operations Annual International Conference on the Theory and Ap- on large integers. In: Proceedings of the 2012 Global plications of Cryptographic Techniques (EUROCRYPT Information Infrastructure and Networking Symposium 2015), pp. 641–670. Springer-Verlag (2015). DOI 10. (GIIS 2012), pp. 1–8. IEEE (2012). DOI 10.1109/GIIS. 1007/978-3-662-46800-5 25 2012.6466769 65. Popa, R.A., Redfield, C., Zeldovich, N., Balakrishnan, 50. Howgrave-Graham, N.: Approximate Integer Common H.: CryptDB: Protecting Confidentiality with Encrypted Divisors. In: Revised Papers from the International Query Processing. In: Proceedings of the 23rd ACM Sym- Conference on Cryptography and Lattices (CaLC 2001), posium on Operating Systems Principles (SOSP 2011), pp. 51–66. Springer-Verlag (2001). DOI 10.1007/ pp. 85–100. ACM (2011). DOI 10.1145/2043556.2043566 3-540-44670-2 6 66. Rabin, M.O.: Digitalized Signatures and Public-Key 51. Hrubeˇs, P., Yehudayoff, A.: Arithmetic Complexity in Al- Functions as Intractable as Factorization. Tech. Rep. gebraic Extensions. Theory of Computing 7, 119–129 MIT/LCS/TR-212, MIT (1979) (2011) 67. Ramaiah, Y.G., Kumari, G.V.: Efficient Public Key Ho- 52. Jenkins, B.: ISAAC: a fast cryptographic random num- momorphic Encryption over Integer Plaintexts. In: Pro- ber generator (1996). URL http://burtleburtle.net/ ceedings of the 2012 International Conference on In- bob/rand/isaacafa.html k formation Security and Intelligent Control, pp. 123–128 53. Joye, M., Libert, B.: Efficient Cryptosystems from 2 - (2012). DOI 10.1109/ISIC.2012.6449723 th Power Residue Symbols. In: Proceedings of the 68. Regev, O.: On Lattices, Learning with Errors, Random 32nd Annual International Conference on the Theory Linear Codes, and Cryptography. In: Proceedings of the and Applications of Cryptographic Techniques (EURO- 37th Annual ACM Symposium on Theory of Computing CRYPT 2013), pp. 76–92. Springer-Verlag (2013). DOI (STOC 2005), pp. 84–93. ACM (2005). DOI 10.1145/ 10.1007/978-3-642-38348-9 5 1060590.1060603 54. Kipnis, A., Hibshoosh, E.: Efficient Methods for Practical 69. Ricosset, T.: HElib-MP. URL https://github.com/ Fully Homomorphic Symmetric-key Encrypton, Random- tricosset/HElib-MP ization and Verification. Cryptology ePrint Archive, Re- 70. Rivest, R.L., Adleman, L., Dertouzos, M.L.: On Data port 2012/637 (2012). https://eprint.iacr.org/2012/ Banks and Privacy Homomorphisms. Foundations of Se- 637 cure Computation 4(11), 169–180 (1978) 55. Kleinjung, T., Aoki, K., Franke, J., Lenstra, A.K., 71. Rivest, R.L., Shamir, A., Adleman, L.: A Method for Thom´e, E., Bos, J.W., Gaudry, P., Kruppa, A., Mont- Obtaining Digital Signatures and Public-Key Cryptosys- gomery, P.L., Osvik, D.A., Te Riele, H., Timofeev, A., tems. Communications of the ACM 21(2), 120–126 Zimmermann, P.: Factorization of a 768-bit RSA Modu- (1978). DOI 10.1145/359340.359342 lus. In: Proceedins of the 30th Annual Cryptology Con- 72. Schafer, R.D.: An Introduction to Nonassociative Algeb- ference (CRYPTO 2010), pp. 333–350. Springer-Verlag ras, vol. 22. Dover (1966) (2010). DOI 10.1007/978-3-642-14623-7 18 73. Scharle, T.W.: Axiomatization of Propositional Calcu- 56. Laine, K., Chen, H., Player, R., Wernsing, J., Naehrig, lus With Sheffer Functors. Notre Dame Journal of M., Dowlin, N., Cetin, G., Xia, S., Rindal, P.: Simple Formal Logic 6(3), 209–217 (1965). DOI 10.1305/ndjfl/ Encrypted Arithmetic Library - SEAL (2017). URL 1093958259 https://sealcrypto.codeplex.com/ 74. Smart, N.P., Vercauteren, F.: Fully Homomorphic En- 57. Lauter, K., Naehrig, M., Vaikuntanathan, V.: Can Ho- cryption with Relatively Small Key and Ciphertext Sizes. momorphic Encryption Be Practical? In: Proceedings In: Proceedings of the 13th International Conference of the 3rd ACM Workshop on Cloud Computing Secur- on Practice and Theory in Public Key Cryptography ity Workshop (CCSW 2011), pp. 113–124. ACM (2011). (PKC 2010), pp. 420–443. Springer-Verlag (2010). DOI DOI 10.1145/2046660.2046682 10.1007/978-3-642-13013-7 25 Practical Homomorphic Encryption Over the Integers for SecureComputationintheCloud 31

75. Smart, N.P., Vercauteren, F.: Fully homomorphic SIMD operations. Designs, Codes and Cryptography 71(1), 57– 81 (2014). DOI 10.1007/s10623-012-9720-4 76. Stephen, J.J., Savvides, S., Seidel, R., Eugster, P.: Prac- tical Confidentiality Preserving Big Data Analysis. In: Proceedings of the 6th USENIX Workshop on Hot Top- ics in Cloud Computing (HotCloud 14). USENIX Associ- ation (2014). URL https://www.usenix.org/conference/ hotcloud14/workshop-program/presentation/stephen 77. Tetali, S.D., Lesani, M., Majumdar, R., Millstein, T.: MrCrypt: Static Analysis for Secure Cloud Computa- tions. In: Proceedings of the 2013 ACM SIGPLAN In- ternational Conference on Object Oriented Programming Systems Languages & Applications (OOPSLA 2013), pp. 271–286. ACM (2013). DOI 10.1145/2509136.2509554 78. Thomson, I.: Microsoft researchers smash homo- morphic encryption speed barrier. The Register (2016). URL https://www.theregister.co.uk/2016/02/ 09/researchers_break_homomorphic_encryption/ 79. Varia, M., Yakoubov, S., Yang, Y.: HETest: A Homo- morphic Encryption Testing Framework. Cryptology ePrint Archive, Report 2015/416 (2015). https://eprint. iacr.org/2015/416 80. Vivek, S.: Homomorphic Encryption API Software Lib- rary. URL http://heat-h2020-project.blogspot.co.uk/ 2017/02/homomorphic-encryption-api-software.html 81. Viz´ar, D., Vaudenay, S.: Cryptanalysis of Chosen Sym- metric Homomorphic Schemes. Studia Scientiarum Mathematicarum Hungarica 52(2), 288–306 (2015). DOI 10.1556/012.2015.52.2.1311 82. Vollmer, H.: Introduction to Circuit Complexity: A Uni- form Approach. Springer (1999) 83. Wang, D., Guo, B., Shen, Y., Cheng, S.J., Lin, Y.H.: A faster fully homomorphic encryption scheme in big data. In: Proceedings of the 2017 IEEE 2nd International Con- ference on Big Data Analysis (ICBDA 2017), pp. 345–349 (2017). DOI 10.1109/ICBDA.2017.8078836 84. Yu, A., Lai, W.L., Payor, J.: Efficient Integer Vector Ho- momorphic Encryption (2015). URL https://courses. csail.mit.edu/6.857/2015/files/yu-lai-payor.pdf 85. Zhou, H., Wornell, G.: Efficient Homomorphic Encryp- tion on Integer Vectors and its Applications. In: Pro- ceedings of the 2014 Information Theory and Applica- tions Workshop (ITA 2014), pp. 1–9. IEEE (2014). DOI 10.1109/ITA.2014.6804228