Health & Lifestyle

IMPLEMENTATION AND ANALYSIS OF HOMOMORPHIC ENCRYPTION SCHEMES

Description
An encryption scheme is “homomorphic” if it is possible to perform implicit operation on the plaintext by processing the ciphertext only. The scheme is said to be “fully homomorphic’’ when we can perform (a sequence of operations) both addition and
Published
of 18
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  International Journal on Cryptography and Information Security(IJCIS),Vol.2, No.2, June 2012 DOI:10.5121/ijcis.2012.2203 27 I MPLEMENTATION  A  ND  A  NALYSIS O F H OMOMORPHIC E NCRYPTION S CHEMES Nitin Jain 1 , Saibal K. Pal 2 & DhananjayK.Upadhyay 2 1 USIT, Guru Gobind Singh Indraprastha University, Delhi – 110 075 INDIA, garg.nitin007@gmail.com 2 Scientific Analysis Group, DRDO, Metcalfe House Complex, Delhi – 110 054 INDIA skptech@yahoo.com, dkudrdo@rediffmail.com  A  BSTRACT   An encryption s cheme is “homomorphic” if it is  possible to perform implicit operation on the plaintext by  processing the ciphertext only. The scheme is said to be “fully homomorphic’’ when we can perform (a sequence of operations) both addition and multiplication, wherea s, it is “somewhat homomorphic’’ if it supports a limited number of operations. We describe how Gentry’s transformation can be applied on bootstrappable Somewhat Homomorphic Encryption (SHE) scheme to make it a fully homomorphic scheme(FHE) by squashingthedecryptioncircuiti.e. evaluating with a low-degree polynomial. Thesecurity of theabove scheme isbased on the hardness of Approximate Integer Common Divisor Problem (ACDP) whichwas introduced in 2001 by Howgrave  –  Graham.Amongthe two versions ofACDP, the general version(GACDP) is apparently more secure than its partial version (PACDP). We have implemented and analyzed Gentry’s scheme and have suggested some improvements to make it  more secure by selecting the Keys parameter in the permissible range.  K   EYWORDS  Homomorphic encryption, SHE, FHE, Bootstrapping, Approximate GCD, Learning with error. 1. I NTRODUCTION With growing communication networks and digital communication,secure communication anddata security is of paramount importance.Today one way to achieve secure communication is bythe use of cryptography[1],[2], whichconcurrently ensuresconfidentiality of data incommunication and instorage. For storing andaccessingdata securely thereexistmany wayswhich can guarantee privacy and confidentiality, such as data encryption and tamper resistancehardware.However,the problem becomes quite complex when it isrequiredto compute publiclyprivate data or to modify a function or algorithm in such a way that they are still executable whiletheir privacy is ensured. This is where a  Homomorphic Cryptographic schemes [3]maybe usedasit enables computation with encrypted data i.e. without knowing anythingabout thecorresponding plain data. Using suchschemes,we can performcomputations on encrypted dataand get back desired results after decryption. Forcoherence, the decrypted resulthas to be equal  International Journal on Cryptography and Information Security(IJCIS),Vol.2, No.2, June 201228 to the intended computed value,ifperformed on the srcinal data.During the last fewyears,homomorphic encryption techniques have been studied extensivelyandhave found application inmany different cryptographic protocols operating over open and untrusted networks.Untrustednetworksare givenonlyanencrypted version ofthedata. The network will perform computationon this encrypted data. To ensure thatthe encrypted data is really being processed securely wasaddressed by Rivest[3]through homomorphic encryption.However,this scheme has securityflaws as pointedout by Brickell and Yacobi[4].Ever sincesuch schemes have been improvedandimplemented for practical purposesas in the case ofsecret sharing scheme, threshold scheme,electronic auction, commitment scheme, oblivious transfer, anonymity, privacy, electronic voting,multiparty computation, zero knowledge proof, watermarking and fingerprinting[5], protection of mobile agent and mix-nets.The organization of the paper is as follows. Section 2 gives the basic definitions of theterminologies used in the paper. Section 3 emphasizes on the security aspects of encryptionschemes. Homomorphic encryption schemes focusing on homomorphic encryption over integersarediscussed inSection 4. Finally, we give the implementation results of Gentry’s scheme and some parameter optimization in Section 5. 2. B ASIC D EFINITIONS In thissection,we describe some basicterminologyused in the paper. 2.1. Encryption and Decryption Encryption is the conversion of data into a form, called aciphertext that cannot be easilyunderstood by unauthorized people and decryption is the process of converting encrypted databack into its srcinal form, so thatthe authorized recipient can understand it. According to Kerckoffs’ principle [6],[7],security must rely upon the secrecy of the scheme, but not on theobfuscation of the code. Acryptography scheme is assumed to be publically known whereasthesecret pieceofinformationsuch as key is responsible for the secrecy of the scheme. According tokey management, encryption schemes areof twotypes:Symmetric and Asymmetric encryptionschemes. 2.1.1. Symmetric Encryption Anencryptionsystem in which the sender and receiver of a message share a single,commonkeythat is used to encrypt and decrypt the messageis called as Symmetric Encryption.Symmetric-key systems are faster, but their main drawback is that two partieswishing tocommunicate have toexchange the key in a secure way.In addition, scalability is problem as thenumber of users increase in the network.Due to its secretnature,symmetric-key cryptography issometimes referredassecret-key cryptography . 2.1.2. Asymmetric Encryption An encryption scheme is calledasymmetric encryptionif it uses two keys instead of onekey as insymmetric encryption. One key encryptsthe dataand the other decrypts. It is also changeably  International Journal on Cryptography and Information Security(IJCIS),Vol.2, No.2, June 201229 referredtoas public key cryptography. An important element of the public key system is that thepublic and private keys are related in such a way that only the public key can beused to encryptmessages and only itscorresponding private key can be used to decrypt them. Moreover, it isvirtually impossible to deduce the private key even if the public key is known. Public keycryptography was invented in 1976 by Whitfield Diffie and Martin Hellman[1],[2]and thescheme was calledDiffie-Hellman encryption. Security of thistype of scheme is based onhardproblems inmathematics, whichare difficult to solve in polynomial time. However, the downsideis that they are slower than the symmetric schemes duetonon-trivial mathematical computations.That iswhy this encryption scheme is used only for encryption ofsmalldataor keyswhilesymmetric scheme can be used forlargerones. 2.2. Homomorphic Encryption Homomorphic encryption allows complex mathematical operations to be performed on encrypteddata without revealing the contents of the srcinalplain data. For plaintexts P1 and P2 andcorresponding ciphertext C1 and C2, a homomorphic encryption scheme permits meaningful computation of P1 P2 from C1 and C2 without revealing P1 or P2.The cryptosystem is additive or multiplicative homomorphic depe nding upon the operation which can be addition or multiplication . A homomorphic encryption scheme consists of the following four algorithms: KeyGen ( λ ):  Input-the security parameter λ .  Output-a tuple (  , ) consisting of the secret keyand public key. Encrypt (  , ):  Input-a public keyand a plaintext.  Output-ciphertext. Decrypt (,):  Input-a secret keyand a ciphertext.  Output-the corresponding plaintext. Evaluate (  , , ):  Input-a public key,a circuitwithinputs (of the setof allowed circuits) and a setof ciphertext  ,....., .  Output-a ciphertext.Therefore, a homomorphic encryption scheme consists of all algorithms of a conventional publickey encryption scheme and an extra one. The correctness-condition for the conventional part of ahomomorphic encryption scheme is identical to that ofa (non-homomorphic) public keyencryption scheme.The additional algorithm  Evaluate is supposed to do the following:  International Journal on Cryp Ifis a ciphertext correspondi Evaluate (  , , ) shall return a circuitwithinputs.A homomorphic encryption sccorrectness-condition on the alg 2.2.1. Fully Homomorphic Enc A homomorphicencryption schand the size of its decryption althe security parameter. Patrick[that the size constraint of the dsimply outputs  ( , ) and the dcomponent ofand then apply t Figure 1: 2.2.2. Somewhat Homomorphi Ascheme is said to be somewadditionsand multiplications beup to a limited extent.A Homomorphic Encryption cInteger factorization, DiscreteUnivariate andMultivariatesche 2.3. Bootstrappable Homom Bootstrapping is used byGentrhomomorphic encryption schem 3. S ECURITY A SPECTS Except one time pad, thesecuritwith respect to available compperfect secrecy/unconditional s ography and Information Security(IJCIS),Vol.2, No.2, J g to the plaintextfor  = 1 … and  = ( ,..  a ciphertextcorresponding to the plaintext  (  , eme is said to correctly evaluate(a set of cirithm  Evaluate from above holds for all circuits   ryption (FHE) me is fully homomorphic if it correctly evaluates orithm (as a circuit) is bounded by some (fixed) 8]shows an illustrative algorithm using Figure 1, cryption algorithm excludes trivial schemes in wh cryption algorithm  Decrypt is adapted to first decr he circuitto the decrypted part . An illustrative view ofthe Evaluate-algorithm  Encryption   hat homomorphic if it can deal with only a limitorethedecryption fails i.e. the depth of decryption n be developedwith existing mathematical primiLog problem,Learningwith error, Latticebames, Small Principal Ideal problem and others . orphic Encryption [9],[10]to convert a somewhat homomorphic sc. It is described in detail in Section4.6.1and 4.6.2.of any cryptosystem or any encryption scheme ca utational infrastructure. Shannon[11]introduced ecurity with characterized encryption scheme f   ne 201230 ..., ) , then ......,  ) forcuits), if the   . ll the circuits olynomial in nd points outich  Evaluate ypt the singled number of  circuit can gotives such asedschemes,heme to fully be evaluated the notion of r which the  International Journal on Cryptography and Information Security(IJCIS),Vol.2, No.2, June 201231 knowledge ofthecipher text does not give any informationeither aboutthe plain text or about thekey. Under this assumption he proved that one time pad is perfectly secure and any other schemeneither symmetric nor asymmetric has been proved unconditionally secure. As far as asymmetricschemes are concerned, their security depends on the hardness ofmathematical structure used todesign the scheme. These mathematical structures are well defined and are hard to solve ingeneral, but these problems can be solved easily if anyone knows the keys for such scheme; onecan compare the hardness of the probleme.g. factoring large integers or solving discrete log[12]in a large group.Therefore, one can analyze that the security ofanasymmetric encryption schemedepends on the intractability of mathematical structure,however,there may be other ways tobreak the system other than solving the underlying mathematical problem. In someapplications,even the partial information gained from the ciphertext could endanger security, so the minimalrequirement for an encryption scheme is that it must be impossible to recover the plain text foranybody not knowing the decryption key. This may be described in other wordsas “whatever an attacker can compute about the plaintext given the ciphertext, he can also compute without the ciphertext” [13]. The most well known deterministic cryptosystem RSA[14]is for a fixedencryption key andfor agivenplaintext,encryption willproduceexactly the same ciphertext.Probabilistic encryption ensures generation of differentciphertextfor the same plaintextmessage.Firstly, the notion of semantic security was introduced[15]at the same time as probabilisticencryption;in order to definewhatcould be a strong security level,but not possiblewithoutprobabilistic encryption. A probabilisticencryptionis semantically secure if the knowledge of ciphertext does not provide any useful information aboutplaintext to some hypothetical adversaryhaving only a reasonable computational power. In a more formal manner, for any functionandany plaintextwith only polynomial resources, the probability to guess  ( ) (knowing  f  but not m ) does not increase if the adversary knows a ciphertext correspondingto. This can beconsidered asakind of perfect secrecy withpolynomial resources.After defining semanticsecurity , second notion of   polynomials security was defined: the adversary chooses twoplaintexts, and wesecretlychoosearandomplaintext and providethe adversary a correspondingciphertext. The adversary, still with polynomial resources, must guess which plaintext wehadchosen. If the best he can do is to achieve a probability 1/2 + ε of success,thenthe encryption issaid to be  polynomially secure . Polynomial security is now known as the “ indistinguishability of encryption ” following the terminology and definitions ofGoldreich[16]. Goldwasser and Micaliproved the equivalence between polynomial security and semanticsecurity[15]. Itcan be easilystatedthat a deterministic asymmetric encryption scheme cannot be semantically secure since itisnotindistinguishable, as the adversary knows the encryption function, and thus can compute thesingle ciphertext corresponding to eachplaintext.In the case of asymmetric encryption schemes, the adversary knows the whole encryptionmaterialincludingboth the encryption function and the encryption key. Thus, he can computeany pair  ( , ( )) . Moving from weakest to the strongest,we have the chosen plaintext,nonadaptive chosen ciphertext and the strongest is the adaptive chosen ciphertextattack. Thisleads to the IND-CPA, IND-CCA1, and IND-CCA2 notions in the literature. IND stands forindistinguishability whereas CPA and CCAsignifychosen-plaintext attack and chosen-ciphertextattackrespectively. Finally, CCA1 refers to the non-adaptive attacks and CCA2 to adaptive ones.Third notion for the security requirement is termed as non-malleability has also been introducedto completethe security analysis. Given a ciphertext  = ( ) , it should be hard for anopponent to produce a ciphertext     such that the corresponding plaintext   , that is not necessary
Search
Tags
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x