Description

An encryption scheme is “homomorphic” if it is possible to perform implicit operation on the plaintext by processing the ciphertext only. The scheme is said to be “fully homomorphic’’ when we can perform (a sequence of operations) both addition and

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.

Related Documents

Share

Transcript

International Journal on Cryptography and Information Security(IJCIS),Vol.2, No.2, June 2012
DOI:10.5121/ijcis.2012.2203
27
I
MPLEMENTATION
A
ND
A
NALYSIS
O
F
H
OMOMORPHIC
E
NCRYPTION
S
CHEMES
Nitin Jain
1
, Saibal K. Pal
2
& DhananjayK.Upadhyay
2
1
USIT, Guru Gobind Singh Indraprastha University, Delhi
–
110 075 INDIA,
garg.nitin007@gmail.com
2
Scientific Analysis Group, DRDO, Metcalfe House Complex, Delhi
–
110 054 INDIA
skptech@yahoo.com, dkudrdo@rediffmail.com
A
BSTRACT
An encryption s
cheme is “homomorphic” if it is
possible to perform implicit operation on the plaintext by
processing the ciphertext only. The scheme is said to be “fully homomorphic’’ when we can perform (a
sequence of operations) both addition and multiplication, wherea
s, it is “somewhat homomorphic’’ if it supports a limited number of operations. We describe how Gentry’s transformation can be applied on
bootstrappable Somewhat Homomorphic Encryption (SHE) scheme to make it a fully homomorphic scheme(FHE) by squashingthedecryptioncircuiti.e. evaluating with a low-degree polynomial. Thesecurity of theabove scheme isbased on the hardness of Approximate Integer Common Divisor Problem (ACDP) whichwas introduced in 2001 by Howgrave
–
Graham.Amongthe two versions ofACDP, the general version(GACDP) is apparently more secure than its partial version (PACDP).
We have implemented and analyzed Gentry’s scheme and have suggested some improvements to make it
more secure by selecting the Keys parameter in the permissible range.
K
EYWORDS
Homomorphic encryption, SHE, FHE, Bootstrapping, Approximate GCD, Learning with error.
1. I
NTRODUCTION
With growing communication networks and digital communication,secure communication anddata security is of paramount importance.Today one way to achieve secure communication is bythe use of cryptography[1],[2], whichconcurrently ensuresconfidentiality of data incommunication and instorage. For storing andaccessingdata securely thereexistmany wayswhich can guarantee privacy and confidentiality, such as data encryption and tamper resistancehardware.However,the problem becomes quite complex when it isrequiredto compute publiclyprivate data or to modify a function or algorithm in such a way that they are still executable whiletheir privacy is ensured. This is where a
Homomorphic Cryptographic schemes
[3]maybe usedasit enables computation with encrypted data i.e. without knowing anythingabout thecorresponding plain data. Using suchschemes,we can performcomputations on encrypted dataand get back desired results after decryption. Forcoherence, the decrypted resulthas to be equal
International Journal on Cryptography and Information Security(IJCIS),Vol.2, No.2, June 201228
to the intended computed value,ifperformed on the srcinal data.During the last fewyears,homomorphic encryption techniques have been studied extensivelyandhave found application inmany different cryptographic protocols operating over open and untrusted networks.Untrustednetworksare givenonlyanencrypted version ofthedata. The network will perform computationon this encrypted data. To ensure thatthe encrypted data is really being processed securely wasaddressed by Rivest[3]through homomorphic encryption.However,this scheme has securityflaws as pointedout by Brickell and Yacobi[4].Ever sincesuch schemes have been improvedandimplemented for practical purposesas in the case ofsecret sharing scheme, threshold scheme,electronic auction, commitment scheme, oblivious transfer, anonymity, privacy, electronic voting,multiparty computation, zero knowledge proof, watermarking and fingerprinting[5], protection of mobile agent and mix-nets.The organization of the paper is as follows. Section 2 gives the basic definitions of theterminologies used in the paper. Section 3 emphasizes on the security aspects of encryptionschemes. Homomorphic encryption schemes focusing on homomorphic encryption over integersarediscussed inSection 4. Finally, we give the implementation results
of Gentry’s scheme and
some parameter optimization in Section 5.
2. B
ASIC
D
EFINITIONS
In thissection,we describe some basicterminologyused in the paper.
2.1. Encryption and Decryption
Encryption is the conversion of data into a form, called aciphertext that cannot be easilyunderstood by unauthorized people and decryption is the process of converting encrypted databack into its srcinal form, so thatthe authorized recipient can understand it. According to
Kerckoffs’ principle
[6],[7],security must rely upon the secrecy of the scheme, but not on theobfuscation of the code. Acryptography scheme is assumed to be publically known whereasthesecret pieceofinformationsuch as key is responsible for the secrecy of the scheme. According tokey management, encryption schemes areof twotypes:Symmetric and Asymmetric encryptionschemes.
2.1.1. Symmetric Encryption
Anencryptionsystem in which the sender and receiver of a message share a single,commonkeythat is used to encrypt and decrypt the messageis called as Symmetric Encryption.Symmetric-key systems are faster, but their main drawback is that two partieswishing tocommunicate have toexchange the key in a secure way.In addition, scalability is problem as thenumber of users increase in the network.Due to its secretnature,symmetric-key cryptography issometimes referredassecret-key cryptography
.
2.1.2. Asymmetric Encryption
An encryption scheme is calledasymmetric encryptionif it uses two keys instead of onekey as insymmetric encryption. One key encryptsthe dataand the other decrypts. It is also changeably
International Journal on Cryptography and Information Security(IJCIS),Vol.2, No.2, June 201229
referredtoas public key cryptography. An important element of the public key system is that thepublic and private keys are related in such a way that only the public key can beused to encryptmessages and only itscorresponding private key can be used to decrypt them. Moreover, it isvirtually impossible to deduce the private key even if the public key is known. Public keycryptography was invented in 1976 by Whitfield Diffie and Martin Hellman[1],[2]and thescheme was calledDiffie-Hellman encryption. Security of thistype of scheme is based onhardproblems inmathematics, whichare difficult to solve in polynomial time. However, the downsideis that they are slower than the symmetric schemes duetonon-trivial mathematical computations.That iswhy this encryption scheme is used only for encryption ofsmalldataor keyswhilesymmetric scheme can be used forlargerones.
2.2. Homomorphic Encryption
Homomorphic encryption allows complex mathematical operations to be performed on encrypteddata without revealing the contents of the srcinalplain data. For plaintexts P1 and P2 andcorresponding ciphertext C1 and C2, a homomorphic encryption scheme permits meaningful
computation of P1 P2 from C1 and C2 without revealing P1 or P2.The cryptosystem is additive
or multiplicative homomorphic depe
nding upon the operation which can be addition or
multiplication
.
A homomorphic encryption scheme consists of the following four algorithms:
KeyGen
(
λ
):
Input-the security parameter
λ
.
Output-a tuple (
,
) consisting of the secret keyand public key.
Encrypt
(
,
):
Input-a public keyand a plaintext.
Output-ciphertext.
Decrypt
(,):
Input-a secret keyand a ciphertext.
Output-the corresponding plaintext.
Evaluate
(
, ,
):
Input-a public key,a circuitwithinputs (of the setof allowed circuits) and a setof ciphertext
,.....,
.
Output-a ciphertext.Therefore, a homomorphic encryption scheme consists of all algorithms of a conventional publickey encryption scheme and an extra one. The correctness-condition for the conventional part of ahomomorphic encryption scheme is identical to that ofa (non-homomorphic) public keyencryption scheme.The additional algorithm
Evaluate
is supposed to do the following:
International Journal on Cryp
Ifis a ciphertext correspondi
Evaluate
(
, ,
)
shall return a circuitwithinputs.A homomorphic encryption sccorrectness-condition on the alg
2.2.1. Fully Homomorphic Enc
A homomorphicencryption schand the size of its decryption althe security parameter. Patrick[that the size constraint of the dsimply outputs
( , )
and the dcomponent ofand then apply t
Figure 1:
2.2.2. Somewhat Homomorphi
Ascheme is said to be somewadditionsand multiplications beup to a limited extent.A Homomorphic Encryption cInteger factorization, DiscreteUnivariate andMultivariatesche
2.3. Bootstrappable Homom
Bootstrapping is used byGentrhomomorphic encryption schem
3. S
ECURITY
A
SPECTS
Except one time pad, thesecuritwith respect to available compperfect secrecy/unconditional s
ography and Information Security(IJCIS),Vol.2, No.2, J
g to the plaintextfor
= 1 …
and
= ( ,..
a ciphertextcorresponding to the plaintext
(
,
eme is said to correctly evaluate(a set of cirithm
Evaluate
from above holds for all circuits
ryption (FHE)
me is fully homomorphic if it correctly evaluates orithm (as a circuit) is bounded by some (fixed) 8]shows an illustrative algorithm using Figure 1, cryption algorithm excludes trivial schemes in wh cryption algorithm
Decrypt
is adapted to first decr he circuitto the decrypted part
. An illustrative view ofthe Evaluate-algorithm
Encryption
hat homomorphic if it can deal with only a limitorethedecryption fails i.e. the depth of decryption n be developedwith existing mathematical primiLog problem,Learningwith error, Latticebames, Small Principal Ideal problem and others
.
orphic Encryption
[9],[10]to convert a somewhat homomorphic sc. It is described in detail in Section4.6.1and 4.6.2.of any cryptosystem or any encryption scheme ca utational infrastructure. Shannon[11]introduced ecurity with characterized encryption scheme f
ne 201230
..., )
, then
......,
)
forcuits), if the
. ll the circuits olynomial in nd points outich
Evaluate
ypt the singled number of circuit can gotives such asedschemes,heme to fully be evaluated the notion of r which the
International Journal on Cryptography and Information Security(IJCIS),Vol.2, No.2, June 201231
knowledge ofthecipher text does not give any informationeither aboutthe plain text or about thekey. Under this assumption he proved that one time pad is perfectly secure and any other schemeneither symmetric nor asymmetric has been proved unconditionally secure. As far as asymmetricschemes are concerned, their security depends on the hardness ofmathematical structure used todesign the scheme. These mathematical structures are well defined and are hard to solve ingeneral, but these problems can be solved easily if anyone knows the keys for such scheme; onecan compare the hardness of the probleme.g. factoring large integers or solving discrete log[12]in a large group.Therefore, one can analyze that the security ofanasymmetric encryption schemedepends on the intractability of mathematical structure,however,there may be other ways tobreak the system other than solving the underlying mathematical problem. In someapplications,even the partial information gained from the ciphertext could endanger security, so the minimalrequirement for an encryption scheme is that it must be impossible to recover the plain text foranybody not knowing the decryption key. This may be described in other wordsas
“whatever an
attacker can compute about the plaintext given the ciphertext, he can also compute without the
ciphertext”
[13]. The most well known deterministic cryptosystem RSA[14]is for a fixedencryption key andfor agivenplaintext,encryption willproduceexactly the same ciphertext.Probabilistic encryption ensures generation of differentciphertextfor the same plaintextmessage.Firstly, the notion of semantic
security
was introduced[15]at the same time as probabilisticencryption;in order to definewhatcould be a strong security level,but not possiblewithoutprobabilistic encryption. A probabilisticencryptionis
semantically secure
if the knowledge of ciphertext does not provide any useful information aboutplaintext to some hypothetical adversaryhaving only a reasonable computational power. In a more formal manner, for any functionandany plaintextwith only polynomial resources, the probability to guess
( )
(knowing
f
but not
m
) does not increase if the adversary knows a ciphertext correspondingto. This can beconsidered asakind of perfect secrecy withpolynomial resources.After defining
semanticsecurity
, second notion of
polynomials security
was defined: the adversary chooses twoplaintexts, and wesecretlychoosearandomplaintext and providethe adversary a correspondingciphertext. The adversary, still with polynomial resources, must guess which plaintext wehadchosen. If the best he can do is to achieve a probability 1/2 +
ε
of success,thenthe encryption issaid to be
polynomially secure
. Polynomial security is now known as the
“
indistinguishability of encryption
”
following the terminology and definitions ofGoldreich[16]. Goldwasser and Micaliproved the equivalence between polynomial security and semanticsecurity[15]. Itcan be easilystatedthat a deterministic asymmetric encryption scheme cannot be semantically secure since itisnotindistinguishable, as the adversary knows the encryption function, and thus can compute thesingle ciphertext corresponding to eachplaintext.In the case of asymmetric encryption schemes, the adversary knows the whole encryptionmaterialincludingboth the encryption function and the encryption key. Thus, he can computeany pair
( , ( ))
. Moving from weakest to the strongest,we have the chosen plaintext,nonadaptive chosen ciphertext and the strongest is the adaptive chosen ciphertextattack. Thisleads to the IND-CPA, IND-CCA1, and IND-CCA2 notions in the literature. IND stands forindistinguishability whereas CPA and CCAsignifychosen-plaintext attack and chosen-ciphertextattackrespectively. Finally, CCA1 refers to the non-adaptive attacks and CCA2 to adaptive ones.Third notion for the security requirement is termed as
non-malleability
has also been introducedto completethe security analysis. Given a ciphertext
= ( )
, it should be hard for anopponent to produce a ciphertext
such that the corresponding plaintext
, that is not necessary

Search

Similar documents

Tags

Related Search

Design and Analysis of Aerospace Structures /Design and Analysis of Microstrip FiltersEvaluation and Analysis of TextbooksDesign and Analysis of AlgorithmsDesign and Analysis of ExperimentsTheory and Analysis of Western Art MusicModeling, synthesis, and analysis of hybrid sDesign and Analysis of Custom Made ArtificialModeling and Analysis of Gene Expression MechCmetery studies and analysis of mortuary cont

We Need Your Support

Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks

SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...Sign Now!

We are very appreciated for your Prompt Action!

x