Practical Applications of Homomorphic Encryption Michael Brenner, Henning Perl and Matthew Smith Distributed Computing Security Group, Leibniz Universitt Hannover, Hannover, Germany Keywords: Homomorphic Encryption, Private Information Retrieval, Encrypted Search. Abstract: Homomorphic cryptography has been one of the most interesting topics of mathematics and computer security since Gentry presented the first construction of a fully homomorphic encryption (FHE) scheme in 2009. Since then, a number of different schemes have been found, that follow the approach of bootstrapping a fully homo- morphic scheme from a somewhat homomorphic foundation. All existing implementations of these systems clearly proved, that fully homomorphic encryption is not yet practical, due to significant performance limita- tions. However, there are many applications in the area of secure methods for cloud computing, distributed computing and delegation of computation in general, that can be implemented with homomorphic encryption schemes of limited depth. We discuss a simple algebraically homomorphic scheme over the integers that is based on the factorization of an approximate semiprime integer. We analyze the properties of the scheme and provide a couple of known protocols that can be implemented with it. We also provide a detailed discussion on searching with encrypted search terms and present implementations and performance figures for the solutions discussed in this paper. 1 INTRODUCTION discuss an algebraically homomorphic scheme and show for a couple of problems of practical relevance, Fully homomorphic encryption fired many people’s how these can be solved by a surprisingly small num- imagination in the field of distributed computing se- ber of operations on encrypted values. We exem- curity. Architectures have been proposed and many plarily discuss solutions to the Millionaires’ Problem, application scenarios have been identified that can one-round Oblivious Transfer and oblivious memory benefit from FHE. Encrypted online storage, secure access based on the homomorphic scheme. We also delegation of confidential computation and even pri- discuss searching over encrypted data with encrypted vacy for searching the web: the Cloud was about to search terms. Since this is a very important opera- turn secure. Unfortunately, all implementations of tion in distributed environments, we present our so- fully homomorphic encryption schemes showed, that lution to this in more detail in a separate section. We this technique is still much too slow for practical ap- show a delegationscheme, where the remote party op- plications. erates with encrypted arguments on public data and The most important property of FHE is un- generates encrypted results.This is useful when pos- limited chaining of algebraic operations in the ci- ing search requests to a public database while main- pherspace, which means that an arbitrary number of taining confidentiality of request and response. additions and multiplications can be applied to en- The paper is structured as follows: Section 2 gives crypted operands. To achieve this, an FHE scheme a summary of the current status of homomorphic must provide a mechanism to reduce the noise of ci- cryptography. Section 3 outlines a somewhat homo- pher values, because these schemes are based on a morphic encryption scheme and analyses its proper- slightly inaccurate representation of the plaintext val- ties in detail. Section 4 introduces a selection of algo- ues. Every single operation on a ciphertext causes rithmic primitives that can be secured using our ho- even lower accuracy and eventually, the ciphertext can momorphic scheme. Section 5 introduces a constant- no longer be properly decrypted. depth approach to encrypted searching. In Section 6 This paper focuses on somewhat homomorphic we present details and performance figures of our im- encryption, where no re-encryption is required but plementation. Section 7 concludes the paper. only a limited number of operations is possible. We Brenner M., Perl H. and Smith M.. 5 Practical Applications of Homomorphic Encryption. DOI: 10.5220/0003969400050014 In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2012), pages 5-14 ISBN: 978-989-8565-24-2 Copyright c 2012 SCITEPRESS (Science and Technology Publications, Lda.) SECRYPT2012-InternationalConferenceonSecurityandCryptography 2 RELATED WORK • the bit length ρ of the message space, defined as λ − η. Since the breakthrough work of (Gentry, 2009), a number of similar approaches to fully homomorphic 3.1 The Basic Construction encryption appeared, like (Smart and Vercauteren, 2010) or slightly different approaches like (Braker- Our scheme E is defined as a tuple {P,C,K,E,D,⊕,⊗} ski and Vaikuntanathan, 2011). Performance figures where the elements denote the following: of actual implementations (Brenner et al., 2011) and P is the plaintext space and contains elements applications of FHE show that these systems can be from N+ limited by the prime integer p of order 2λ used for small problems only. Due to the computa- such that for two plaintext operands a,b ∈ NP,a · b < p η tional overhead of current FHE schemes, the ques- and NP := {x|x < 2 }. tion arises, if the underlyingSHE schemes can also be C is the ciphertext space and contains elements used for more practical homomorphicencryption. Re- from N+. cent proposals, like (Naehrig et al., 2011) follow this K is the key generator. The secret key is a large approach. However, the fully homomorphic encryp- prime integer p, the auxiliary compression argument tion is still subject to progress in terms of new consid- is d with d ← 2s + rp with r ∈ N+ and s ∈ NC with ∀x ∈ erations of hardness assumptions (Stehl and Steinfeld, NC,∀y ∈ NP,2x < y (see compactness). 2010) or conceptual simplicity (Coron et al., 2011). E is the encryption function. We encrypt a bit There are different paradigms for secure delega- value b by picking an integer a with a ≡ b mod 2 and tion of computation like secure function evaluation adding a random even or odd multiple of the prime (SFE) mostly based on Yao's Garbled Circuits (Yao, modulus, such that a′ = a +(rp). If r is composite, it 1982) and extensions by (Malkhi et al., 2004) or must contain at least one large prime factor of order λ (Kolesnikov et al., 2009b). Garbled circuits have 2 . It is mandatory that a ∈ N+, i.e. the encryption also been combined with homomorphicencryption by must add noise (see below). (Gentry et al., 2010) and (Kolesnikov et al., 2009a) to D is the decryption function. The decrypted result overcome their inherent disadvantage of of being lim- is the remainder of a ciphertext modulo the prime key ited to static one-pass boolean circuits. p: a = a′ mod p. A theoretical approach to achieve privacy of mem- ⊕ is the addition in ciphertext space. Due to the ory access patterns and algorithm execution in a spe- cipher structure, the addition is performed as an ordi- cial type of Turing Machines is the Oblivious Random nary arithmetic addition. The scheme is mixed addi- Access Machine (ORAM) by (Goldreich, 1987) (Gol- tive. dreich and Ostrovsky, 1996). There are recent propos- ⊗ is the multiplication in ciphertext space. Like als to reduce the complexity of ORAMs by Pinkas et the addition, the multiplication is performed as an al. (Pinkas and Reinman, 2010) and further devel- ordinary arithmetic multiplication. The scheme is opments towards practical applications by (Damgrd mixed multiplicative. et al., 2011) and (Goodrich and Mitzenmacher, 2011). Section 4 outlines how to achieve oblivious memory In this scheme, the positive plaintext value is also access with our scheme. the noise for the ciphertext because it additively in- terferes with the product of the prime factors that en- crypt it. In order to obtain a probabilistic encryption 3 ASOMEWHAT scheme, we perform parity (mod 2) arithmetics, i.e. HOMOMORPHIC a plaintext bit is encoded in a random integer of the same parity. Notice that the encryption does not re- ENCRYPTION SCHEME veal the parity of the plaintext integer, because the encryption function E picks at random even or odd This section describes the encryption scheme and its multiples r of the key p. This effectively allows us to properties correctness, security and compactness. Our hide the parity of the plaintext and to encode binary somewhat homomorphic encryption scheme E de- information. pends on the following parameters: • the security parameter λ, 3.2 Correctness η • the bit length of a cipher’s initial noise, We show the correctness of the encryption and de- • the modulus p which is a large prime integer of cryption, as well as the homomorphic operations in λ order 2 , the following lemmas, assuming that p ∈ N+ be a 6 PracticalApplicationsofHomomorphicEncryption large prime integer as a secret key and a and b be two that efficiently computes p from any cipher a′. + arbitrary positive integers with a,b ≪ p ∈ N . That means, that Aex is able to extract p from any inte- gercomputedbya term ofthe form a+ pq for arbitrary Lemma 1. The encryption scheme E is mixed additive a, p,q and thus can be applied in a function and the addition is correct if a + b < p. B f ac(i) : p ← Aex(0 + i) a′ Proof. We perform the encrypted addition as ( ⊕ to factorize arbitrary composite integers (pq) that b′ a′ b′ a r p b r p ) which extends to ( ⊕ )=( + 1 )+( + 2 ) = can be trivially expressed as 0 + pq. a + b +(r1 + r2)p and decrypted mod p yields (a + b). Now we show the security of the encryption ′ The mixed additive operation is defined as a ⊕ b = scheme against an attempt of A to compute the plain- (a + rp) + b = a + rp + b mod p = a + b. text value of a cipher. We achieve this by showing in Lemma 2. The encryption scheme E is mixed multi- addition to Lemma 4 an IND-CPA equivalent prop- plicative and the multiplication is correct if a ∗ b < p.