International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Special Issue 4, October 2013)

A Comparative Study of Fully Homomorphic Encryption Schemes for Cloud Computing

Amna Ahmed Ali1
1

Kenana Sugar Company, Dubai, UAE

1

[email protected]

AbstractThe security and privacy issues associated with cloud computing have become the main obstacle for businesses to move towards cloud computing. Many technologies have been used to mitigate these issue including various access control methods and cryptography techniques. The potential that fully homomorphic encryption has for cloud computing is its ability to perform computations on encrypted data without prior decryption. Since Gentrys implementation of the first fully homomorphic scheme in 2009 many interesting variants and schemes have been proposed and developed to improve the performance, reduce the complexity and the cost of the scheme. Two interesting schemes are reviewed and discussed in this paper. The first scheme discussed in this paper is Fully Homomorphic Encryption over Integers, by Marten Van Dijk et al. The second scheme is Fully Homomorphic Encryption without Bootstrapping by Brakerski et al. The scheme analysis is mainly focused on the security, performance and complexity factors of the mentioned schemes. KeywordsBootstrapping, Cloud Security, Cryptography, Fully Homomorphic Encryption, FHE Scheme.

I. INTRODUCTION This The natural evaluation of the Internet has changed the computing concepts from parallel computing to distributed computing to grid computing and recently to cloud computing. The National Institute of Standards and Technology (NIST) has defined the cloud computing as: "Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. [1]". Cloud computing as a concept has come with many obvious advantages for businesses such as accessing and using configurable computing recourses (e.g. servers, network infrastructure, applications and services) with minimum management effort and at a lower cost. It also allows a better use for computing resources through sharing and virtualization technologies.

Unfortunately the bright side of the technology has also a dark side, that is the security and privacy issues associated with cloud computing, this is due to the nature of cloud technology which depends on resources sharing, virtualization and requires a trust relationship between businesses and cloud providers. The cloud providers need to access customers data to respond to their queries and perform necessary checks that is not acceptable by many businesses. Many of the privacy issues can be cured by using cryptography. The cloud user can encrypt the data and store it in the cloud, however both user and cloud provider will not be able to carry on any computations on data before decrypting it, moreover the cloud provider will not be able to respond to users queries before decrypting the data first. The promise that fully homomorphic encryption brings to cloud computing is its ability to perform computations on encrypted data without the need of the decryption, the encrypted result when decrypted matches the result of operations performed on the plaintext. The homomorphic encryption is said to be fully homomorphic encryption FHE when a series of additions and multiplications operations can be performed on the ciphertext and still yield the correct sum/product after decryption. II. HISTORY OF FULLY HOMOMORPHIC ENCRYPTION The idea of homomorphic encryption was first proposed in 1978 by Rivest, Adleman and Dertouzos in their paper On Data Banks and Privacy Homeomorphisms [2]. The paper introduced the idea of Privacy Homeomorphisms and highlighted four possible encryption functions which included RSA as additive and multiplicative privacy homeomorphisms. Following that paper many encryption schemes have been developed, but they were either used an addition or multiplication homomorphic computations, this includes El Gamal encryption scheme [3], Paillier encryption scheme [4], Cohen and Fischer [5] and many other schemes. None of these schemes was able to support both additions and multiplication computations.

International Conference on Modern Trends in Science, Engineering and Technology 2013 (ICMTSET 2013), Dubai, UAE .

Page 50

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Special Issue 4, October 2013)

In a closer step towards fully homomorphic encryption Boneh, Goh and Nissim developed an encryption scheme that was able to perform many additions and one single multiplication on ciphertexts [6]. In June 2009 Craig Gentry from IBM implemented the first fully homomorphic encryption scheme that was able to perform many additions and multiplications using ideal lattices and bootstrapping technique. The scheme has proved the possibility of implementing fully homomorphic encryption and laid a solid ground for most recent fully homomorphic encryption schemes incl uding Fully Homomorphic Encryption over Integers, by Marten Van Dijk et al. and Fully Homomorphic Encryption without Bootstrapping by Brakerski et al. whish are discussed and reviewed in this paper. The next section explains Gentrys scheme in more depth. III. GENTRYS FULLY HOMOMORPHIC ENCRYPTION SCHEME Gentrys scheme [7] was based on somewhat homomorphic encryption scheme, a somewhat homomorphic scheme can be described as a scheme that can handle a limited number of additions and multiplications before the decryption fails. Gentry used ideal lattices to provide an additive and multiplicative homomorphism. The somewhat homomorphic scheme is then transferred into fully homomorphic encryption scheme using bootstrapping technique. The bootstrapping is represented as a Boolean circuit that refreshes the ciphertext to prevent the inherent noise factor from growing too large and hence make it difficult to get the correct decryption. After the noise is reduced the number of additions and multiplications operations has no limitation; thus making the scheme fully homomorphic. The homomorphic encryption schemes are generally described using the following functions: KeyGen () - Generates the encryption keys. It takes the security parameter as an input, and generates the secret key sk and the public key pk. Enc (pk, m) Encrypts the plaintext m with the public key pk to create ciphertext c. Dec (sk,c) Decrypts the ciphertext c using the secret key sk to retrieve the plaintext m. Gentry has added a new "Evaluate function in his scheme for fully homomorphic encryption, the function can be described as follows:

Eval (pk,C,c1,c2 ct) - Uses a Boolean circuit C to outputs a ciphertext c of f(m) such that Decrypt (sk, m) = f(m). Gentrys construction consists of three main elements: a somewhat homomorphic encryption scheme that can evaluate low degree polynomials, a technique to squash the decryption circuit to get a bootstrappable scheme and finally a method of transferring bootstrapping the scheme into fully homomorphic encryption scheme. The significant point in this process is to obtain a scheme that can evaluate high degree polynomials while the decryption procedure can still be expressed as low degree polynomial. Once the scheme can evaluate its own decryption function plus an additional operation then it is called bootstrappable scheme and can be converted into a fully homomorphic scheme. Although Gentry scheme proved the possibility of implementing fully homomorphic encryption, the scheme complexity, efficiency and performance needed to be improved. For example Gentry has estimated that building a circuit to execute an encrypted Google search with encrypted keywords would multiply the current computing time by 1 trillion. Nevertheless the scheme has inspired many researchers to propose many variants to Gentrys scheme to improve the performance and reduce the complexity and ciphertext size. Two interesting approaches were discussed in the following sections. IV. FULLY HOMOMORPHIC ENCRYPTION OVER INTEGERS The first scheme is known as Fully Homomorphic Encryption over Integers. It is proposed in June 2010 by Marten Van Dijk et al. [8]. This scheme is based on the hardness of the approximate integer greatest common divisors (approximate GCD) problem which is constructed by Howgrave-Graham [9] and defined as follows: Definition (approximate GCD): The (, , ) approximate-gcd problem is: given polynomially many samples from D,(p) for a randomly chosen -bit odd integer p, output p. This scheme follows Gentrys scheme of starting with a somewhat homomorphic scheme and then use bootstrapping to convert it into fully homomorphic scheme. However, the scheme uses simpler mathematical approach by using additions and multiplications over the integers instead of using ideal lattice over polynomial ring.

International Conference on Modern Trends in Science, Engineering and Technology 2013 (ICMTSET 2013), Dubai, UAE .

Page 51

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Special Issue 4, October 2013)

This was merely done to reduce the scheme complexity. Dijks somewhat homomorphic encryption algorithms can be summarized as follows: KeyGen () The secret key is a random bit integer: p (2Z + 1) (21, 2).Where Z is a real number and is a bit-length of the secret key, is the bit-length of the integers in public key, is the bit-length of the noise and is the number of integers in public key. For the public key sample a random number xi from the distribution D,(p) for 0 i subject to the condition that the largest xi is odd. The public key pk =<x0,x1,. . . , x >. Enc (pk, m) Encrypts the plaintext message m {0, 1} bit by bit. For a random subset S {1,2, , } and a random integer r in (-2, 2 ) the output ciphertext c is calculated as c [m + 2r + 2iSxi]x0. Eval(pk,C,c1,c2 ct) The Evaluate function works as per Gentrys scheme, however all operations are performed over integers. Dec (sk,c) Outputs m is where m is calculated as m (c mod p) mod 2. As the somewhat homomorphic encryption scheme can only evaluates low-degree polynomials, then it is necessary to bootstrap the scheme to achieve fully homomorphic encryption scheme. Gentrys transformations were used to squash the decryption circuit to transform the scheme into a bootstrappable scheme. In these transformations an information related to the secret key hint is added to public key to post process the ciphertext so that it can be decrypted more efficiently than the original ciphertext, this is because the new ciphertext has a smaller noise component. Hence the noise has the same parity as the message m the least significant bit (LSB) can be read to retrieve the message. The scheme hold correctly as a fully homomorphic scheme as long as the noise stays sufficiently smaller than the secret key p, if the noise grows bigger than that the original plaintext message cannot be revealed correctly. V. FULLY HOMOMORPHIC ENCRYPTION WITHOUT BOOTSTRAPPING The second scheme is known as Fully Homomorphic Encryption without Bootstrapping. This scheme took a drastic approach to achieve fully homomorphic encryption. The scheme was proposed in 2012 by Brakerski et al. [10].

Brakerskis approach was based on Learning with Errors (LWE) and Ring Learning with Errors (Ring LWE) problems, which have been introduced by Regev et al. [11][12]. The Ring LWE problem is defined as follows: Definition (RLWE): For security parameter , let f(x) = xd + 1 where d = d() is a power of 2. Let q = q() 2 be an integer. Let R = Z[x]/(f(x) and let Rq = R/qR. Let = ( ) be a distribution over R. The RLWEd,q, problem is to distinguish the following two distributions: In the first distribution, one samples (ai, bi) uniformly from R2q. In the second distribution, one first draws s Rq uniformly and then samples (ai, bi) 2 R2q by sampling ai Rq uniformly, ei , and setting bi = ai.s + ei. The RLWEd,q, assumption is that the RLWEd,q, problem is infeasible. In this scheme Brakerski was able to obtain a direct construction of a bootstrappable encryption scheme without having to squash the decryption circuit, and hence there was no need to apply a bootstrapping technique to achieve fully homomorphic encryption. As per Gentrys scheme Brakerski started from somewhat homomorphic encryption which was constructed to work over a ring R, where R can be described as R = Z for integers, or R =Z[x]/(xd+1) for polynomial ring with d having a power of 2. For integer q, Rq is used to indicate R/qR. The error distribution parameter was introduced to work over the ring R, was set to be as small as possible. Brakerskis somewhat homomorphic algorithms can be described as follows: KeyGen (1) - Sample sk := s Rq to be polynomial with small coefficients chosen from the error distribution . Enc (sk, R2) Sample a Rq at random, and a polynomial e with small coefficient from error distribution . The output ciphertext c is calculated as c := (a,as +2e + ). Dec (sk, c = (a, b)) Sample b Rq,at random, := b- as over Rq. The output := (mod 2). As per previous schemes the noise/error grows with every homomorphic operation until it becomes intolerable and hence the decryption fails. The key contribution of Brakerskis scheme is his technique of managing noise so that it increases linearly with the multiplicative level instead of exponentially which was the case in previous FHE schemes. The scheme focused on improving the per-gate computation overhead, the per-gate computation can be defined as the ratio between the time it takes to compute the circuit homomorphically to the time it takes to computed in clear.
Page 52

International Conference on Modern Trends in Science, Engineering and Technology 2013 (ICMTSET 2013), Dubai, UAE .

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Special Issue 4, October 2013)

The technical tool he used for noise management technique is called modulus switching. The theory behind this technique is that given an evaluator who knows a link to secret key length but does not know the secret key itself, this evaluator can transfer the ciphertext c modulo q into a new ciphertext c modulo p while preserving correctness as per equation 1: [c, s]p = [c, s]q mod2 Where s is the secret. This transformation from c to c implicates scaling by (p/q) and rounding appropriately. Amazingly this results on reduced magnitude of ciphertext c and the inherited noise without prior knowledge of the secret key. The leveled fully homomorphic encryption was achieved using the noise management technique which has allowed the scheme to increase the number of homomorphic operations (additions and multiplications) without squashing or bootstrapping. VI. ANALYSIS AND COMPARISON In this section Dijks and Brakerskis schemes are compared and analyzed for the security, efficiency and complexity factors. A. Fully Homomorphic Encryption over Integers Scheme Security: The security of this scheme is based on the hardness of the approximate-gcd problem. With appropriate selection of parameters the scheme has proved to resist different types of attacks to recover the secret key including brute-force attack with at least 2 time. However it has been proven that the scheme can be attacked to recover the plaintext from ciphertext using lattice reduction algorithm [13]. The parameters settings which have been used in the attack were considered to be appropriate by the Dijks scheme. Performance: The noise factor grows large when addition and multiplication operations are performed, it doubles on addition and squares on multiplication. Multiplying d ciphertexts generates a noise factor with a size equals ~2dn where n is the number of operations. When the noise factor grows above q/2 the cipher text the original message cannot be rectified. In other hand, in order to improve the security of the scheme the cipher text was selected to have a large value n6, this value increase with multiplication which also results on degraded efficiency.

Complexity: Reducing the Gentrys scheme complexity was the main purpose of developing this scheme. The complexity of the somewhat scheme was reduced by using additions and multiplications over integers instead of ideal lattices. Perhaps one of the significance of this scheme is that it proved out that different mathematical approaches and theories can be applied to construct a fully homomorphic encryption scheme using Gentrys blueprint. B. Fully Homomorphic Encryption without Bootstrapping Scheme Security: The security of this scheme is based on the hardness of lattice problems with quasi-polynomial approximation factors. The achieved level of security has not improved from original FHE scheme as it remains 2 time against known lattice attacks. Since the scheme is relatively new, it is probably still too early to confirm its security strength against different types of attacks with great confidence. Efficiency: Brakerski has developed a novel noise management technique that controlled the noise level so that it increases linearly with multiplication instead of exponentially. Theoretically, this scheme beats previous bootstrapping-based FHE schemes performance-wise. The scheme also allowed for L-level arithmetic circuit to be evaluated with (.L3) per-gate computation or instead of (4) which is a large polynomial in the security parameter. The removal of the bootstrapping technique has also resulted on real cost reduction as the cost of bootstrapping in only () time was (4). This allowed for evaluating deeper circuits at a lower cost. Applying batching and bootstrapping as optimization techniques can achieve a better per-gate computation of (2) independent of number of levels. Complexity: When compared to FHE over Integers, Brakerskis scheme uses more complex mathematical algorithms and notations as a result of using Ring LWE instead of working with integers. However the removal of bootstrapping technique has reduced the complexity of decryption function and calculations.

International Conference on Modern Trends in Science, Engineering and Technology 2013 (ICMTSET 2013), Dubai, UAE .

Page 53

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Special Issue 4, October 2013)

VII. CONCLUSION Although Dijks scheme has succeeded to reduce the complexity of Gentrys original scheme, his scheme has inherited the efficiency limitations of the original scheme in term of noise, length of cipher text and encryption keys, as well the time needed for encryption, decryption and evaluation functions. In the other hand Brakerskis scheme introduced new novel technique for noise management which allowed for evaluating deeper circuits at the same cost as before, this technique is used in later schemes to improve FHE schemes performance. Both schemes have inspired many researchers to search for new mathematical approaches and techniques to improve the performance and efficiency while meeting the security requirements. At the moment the available schemes provide a great potential for cloud computing but they still have lots of scope for improvement and enhancement before they can be ready for practical use in the cloud computing. REFERENCES
[1] [2] National Institute of Standards and Technology - Computer Security Resource Center - www.csrc.nist.gov. R. Rivest, L. Adleman, and M. Dertouzos, On data banks and privacy homomorphisms, in Foundations of Secure Computation. Academic Press, 1978, pp. 169177. T. E. Gamal, A public key cryptosystem and a signature scheme based on discrete logarithms, in CRYPTO, 1984, pp. 1018.

[4] [5]

[6]

[7]

[8]

[9] [10]

[11]

[12]

[13]

P. Paillier, Public-key cryptosystems based on composite degree residuosity classes, in EUROCRYPT, 1999, pp. 223238. J. D. Cohen and M. J. Fischer, A robust a nd verifiable cryptographically secure election scheme (extended abstract), in FOCS. IEEE, 1985, pp. 372382. D. Boneh, E.-J. Goh, and K. Nissim, Evaluating 2 -DNF formulas on ciphertexts, in Theory of Cryptography - TCC05, ser. Lecture Notes in Computer Science, vol. 3378. Springer, 2005, pp. 325 3417. C. Gentry, A fully homomorphic encryption scheme,Ph.D. dissertation, Stanford University, 2009, http://crypto.stanford.edu/craig. M. Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, Fully homomorphic encryption over the integers, in EUROCRYPT, 2010, pp. 2443. N. Howgrave-Graham, Approximate integer common divisors, in CaLC, 2001, pp. 5166. Z. Brakerski, C. Gentry, and V. Vaikuntanathan, Fully homomorphic encryption without bootstrapping, Cryptology ePrint Archive, Report 2011/277, 2011. Vadim Lyubashevsky, Chris Peikert, and Oded Regev, On ideal lattices and learning with errors over rings, in EUROCRYPT, volume 6110 of Lecture Notes in Computer Science, pages 1 23, 2010. Oded Regev, On lattices, learning with errors, random linear codes, and cryptography, in Harold N. Gabow and Ronald Fagin, editors, STOC, pages 8493. ACM, 2005. Gu Chunsheng, Attack on Fully Homomorphic Encryption over the Integers, Cryptology ePrint Archive, Report 2012/157, 2012.

[3]

International Conference on Modern Trends in Science, Engineering and Technology 2013 (ICMTSET 2013), Dubai, UAE .

Page 54