Practical Additive Homomorphic Encryption for
Statistical Analysis over Encrypted Data
Taek-Young Youn, Nam-Su Jho, and Ku-Young Chang
Cryptography Research Section
Electronic and Telecommunications Research Institute
Daejoen, Korea
[email protected]
Abstract—Homomorphic encryption scheme is one of useful
tools for handling encrypted sensitive information. However,
most of existing schemes have not been widely used in practical
applications due to their inefficiency. In this paper, we give an
additive homomorphic encryption scheme which can be used for
evaluating some statistical information, such as the mean and the
variance. To compute the information without the multiplicative
homomorphism, we devise a message encoding technique and
design a new additive homomorphic encryption by applying our
encoding technique to Paillier's scheme which supports the
additive homomorphism. Note that our scheme is the first
additive homomorphic encryption which supports the evaluation
of both the mean and the variance of encrypted data. We also
propose some modifications of our scheme to improve the
practicality. One of remarkable advantages of our message
encoding technique is that it can be applied to any additive
homomorphic encryption for supporting the above mentioned
statistical operations.
Keywords—encrypted data; statistical analysis; homomorphic
encryption; additive homomorphism
I. INTRODUCTION
In storage-based services, clients entrust their information
to a data server. When sensitive information is stored in the
server's storage, users may want to encrypt their data to secure
their privacy before storing it. By encrypting all data, we can
expect stronger security and privacy, but the use of encryption
scheme is not good in service providers' view point since it is
not easy to handle encrypted data. Hence, it is meaningful to
give secure techniques that can support existing storage-based
services without impairing their original functions.
Until now, various techniques have been proposed to
support secure storage-based services [4], [5], [11], [15]. Great
part of them focus on search operation since it is the most
useful functionality for simple storage services where any
computation on encrypted data is not required. However, in
these days, naive storage services which support simple
functionalities such as upload/download of encrypted data are
not sufficient. Instead, we need somewhat complex
functionalities which can permit users to produce meaningful
information from stored information. However, users may
expect that such storage services can be supported without
decrypting their encrypted data to protect their privacy. In this
case, homomorphic encryption techniques can be used since
978-1-4673-8685-2/16/$31.00 ©2016 IEEE
they permit a server to perform (pre-defined) computations
without decrypting stored ciphertexts.
The concept of the homomorphic encryption was firstly
proposed by Rivest et al. [18]. Since then, many tries have
been made to design new schemes with improved security and
performance [1-3], [6-10], [12-14], [16], [17]. In [17], a secure
homomorphic encryption has been proposed with additive
homomorphism, and the scheme is regarded as a secure and
practical additive homomorphic encryption scheme. From
now, we call the scheme in [17] as the Paillier-HE scheme.
Though the Paillier-HE scheme is efficient enough for
practical applications, the scheme is not used in practice since
few services require only the additive homomorphism. Hence,
it was an open problem to design a scheme that is
homomorphic for both addition and multiplication. The
scheme in [3] is the first scheme which is homomorphic for
both operations, but it is a somewhat homomorphic encryption
which can support only one multiplication. The fully
homomorphic encryption scheme which supports any
operation was firstly proposed by Gentry [11]. After Gentry's
fully homomorphic encryption has been proposed, the great
progress has been made. Most of existing fully homomorphic
encryption schemes basically follow Gentry's technique [1],
[2], [6], [8-10], [12], [13].
In these days, the importance of homomorphic encryption
is increased along with the growth of information services
which are provided on remote storages (e.g. cloud computing
service) since the technique can be used to handling sensitive
information without decrypting it. However, unfortunately, the
computational performance of existing fully homomorphic
encryptions is unrealistic to be used in real world applications.
Though there are many tries to improve the performance of
existing techniques [6], [8-10], [13], it seems hard to give an
efficient scheme due to their structural limitation1. Fortunately,
there are still many valuable applications where somewhat
1
Existing fully homomorphic encryption schemes are
designed based on Gentry's construction technique so-called
squashing (or re-encryption). The operation requires costly
evaluation of decryption circuit, and this procedure cannot be
eliminated in the existing scheme. Moreover, the cost of basic
operations is high due to the underlying hard problems such as
the learning with error problem, the sparse subset problem,
etc.
homomorphic encryptions are still valid, and it is relatively
easy to design practical somewhat homomorphic encryption.
For the above discussed reason, there are some works which
are aimed to design efficient somewhat homomorphic
encryptions which can provide sufficient performance so that
can be applied to practical applications [3], [16].
In this paper, we give an additive homomorphic encryption
scheme which can be used for statistical analysis on encrypted
data. Our scheme is designed to evaluate essential statistical
information such as the mean and the variance. A remarkable
advantage of our scheme is that it can support the functionality
without the multiplicative homomorphism. In the literature,
our scheme is the first additive homomorphic encryption
which supports the evaluation of the variance. Generally, any
additive homomorphic encryption scheme can be used to
evaluate the mean, but the scheme cannot be used to evaluate
the variance since at least one multiplication should be
supported to compute the variance. We also propose two
variants which extend the practicality of the proposed scheme.
The first variant gives a way to deal with negative values, and
the other variant supports the batch evaluation of multiple
information.
We emphasis that the main contribution of this work is to
give a simple but innovative technique which can be applied
to any additive homomorphic encryption so that the scheme
can evaluate essential statistical information such as the mean
and the variance without the multiplicative homomorphism. In
this paper, we use well-known Paillier's encryption scheme to
design an practical additive homomorphic encryption which
supports statistical analysis on encrypted data. There are many
additive homomorphic encryption schemes with different
merits and demerits, and thus we can use any additive
homomorphic encryption scheme according to the target
application.
II. REVIEW OF PAILLIER'S ENCRYPTION SCHEME
In [17], Paillier proposed a novel public key encryption
scheme with additive homomorphism. In this paper, we will
briefly review the scheme and its additive homomorphism.
A. Description
Key Generation. Let N = PQ where P and Q are prime
numbers. Let g be an element of order at least N in Z× 2 ,
i.e., N
gN = 1 Nod N 2 . Note that we can use any integer of the
form 1+kN for some k in ZN since their order are also N. In
this paper, we use a simple setting g=1+N since the choice
of the parameter does not influence on the security of the
Paillier-HE scheme. The public key is then (N, g) while the
corresponding secret key is λ=φ(N).
Encryption. Given a message m in ZN , choose a random
integer r in ZN× . Then the ciphertext is computed as follows:
c = r N gN = r N (1 + NN)NOd N 2 .
Decryption. Given a ciphertext c and the secret key, the
message can be computed as following:
(c ß Nod N 2 ) — 1
–1
N =( )· h Nod N.
N not give detailed explanation regarding the issue. Suppose
B. Additive Homomorphism
To examine the additive homomorphism, we define two
ciphertexts for two distinct messages N1 and N2 . Let
c1 = r1N (1 + N1 N)NOdN 2
and
c2 = r2N (1 + N2 N)NOdN 2
for some random values r1 and r2. Note that
c = c1 c2 = r3N (1 + (N1 +N2 )N)NOdN 2
where r3 = r1r2. Therefore, the product of two ciphertexts
will decrypt to the sum of their corresponding plaintexts,
which implies the additive homomorphism of the Paillier-
HE scheme.
III. PROPOSED ADDITIVE HOMOMORPHIC ENCRYPTION
In this section, we describe our additive homomorphic
encryption scheme which can be used for evaluating statistical
information over encrypted data. We also give proofs for the
correctness and the security of the proposed scheme.
A. Description
In the proposed scheme, we have four algorithms for key
generation, encryption, evaluation of statistical information,
and decryption. Note that the proposed encryption is designed
for dedicated purpose. Each algorithm works as follows.
Key Generation. As in Section II-A, the public key (N, g) and
the corresponding secret key λ=φ(N) are generated.
Additionally, we need some parameters for message
encoding. Let δ be the bit-size of the data and B (< 2U ) be
the upper bound of the number of addition. In this setting,
we expect that 3δ + 2ν < k when 2k € N € 2k+1 .
Encryption (for Data Upload). To upload a δ-bit message m,
the message is firstly encoded as
M = N2 · 2ð+U + N.
For randomly chosen integer r in Z× , the
N ciphertext is
computed as follows:
C = r N (1 + MN)NOd N 2 .
Then ciphertext is uploaded to a remote storage. Note that
the storage will be managed by a server who computes
meaningful statistical information from the stored
ciphertexts on clients' requests.
Evaluation. To evaluate the mean and the variance, we have
to perform divisions which cannot be supported by our
scheme. Existing schemes including fully homomorphic
encryptions also have the same problem, but it can be
easily solved by evaluating the numerators and
denominators separately. We will use the same technique
for the issue.
To obtain the evaluated information from the storage
server, the client may send the set of indexes to the server
to identify target ciphertexts. Note that the way to manage
the indexes is not the interest of this paper, and thus we did
 that l ciphertexts are selected by the client for generating
where Mi = Ni 2 · 2ð+U + Ni . The client who is the owner
statistical information. Let
of the encrypted data will ask the server to compute the mean
{C1, …, CS} and variance of the stored data without decrypting
them. To response to the client's request, the server computes
be the set of ciphertexts where
C = C1 × … × CS NOd N 2
Ci = ri N (1 + Mi N)NOd N 2 .
which can be rewritten as
and
S
Mi = Ni2 · 2ð+U + Ni . C = ‡ ri N (1 + Mi N) NOd N 2 = RN (1 + MN)NOd N 2
i.e., Ci is the ciphertext of (the encoded message of) i=1
Ni . The storage server can response to the client's where
request by computing
S
S
R = ‡ riN
C = Σ Ci ,
i=1
i=1
and
and giving it to the client. Note that the client does not
S
always know the number of ciphertexts since he may want
to use all stored ciphertexts. In this case, the server gives C M = Σ Mi .
with l. If the number of ciphertexts is also a private i=1
information, we can use any cryptographic technique to
Recall that each message Ni is chosen from {0,1}ð and l
send it secretly.
is bounded by 2U . Due to the parameter selection, the
Decryption and Recover Evaluated Information. Given a condition M < N can be easily proved. At first, note that
ciphertext C and the secret key, one can recover the S S
encoded message as following: M = Σ Mi = Σ(Ni2 · 2ð+U + Ni ).
(C ß NOd N 2 ) — 1 –1 i=1 i=1
M=( ) · h Nod N. Due to the size of message space, we have
N S S S
If C is a ciphertext of a single message, the least significant
δ-bits of the encoded message M is the encrypted message Σ(N2i · 2ð+U + Ni ) € Σ(22ð — 1) · 2ð+U + Σ(2ð — 1)
m. Otherwise, if C is the ciphertext which was evaluated i=1 i=1 i=1
by the storage server, we can obtain the mean and the which is smaller
variance from M. Let than
þ
23ð+2U — 2ð+2U + 2ð+U — 2U € 2k .
þ i–α
(I)α = Σ Ii · 2 The modulus N was chosen so that 2k € N , and thus the
i=α condition M < N holds. In the above numerical expression, we
where Ii is the i-th bit of an integer I. Then the mean and also can find that the sum of lower part does not influence on
the variance can be computed as following: the upper part, i.e., the sum of messages does not increase up to
the sum of the square of messages. The least significant ð + U
M)ð+
1 U bits of M is the sum of all messages, i.e.,
µ=
l S
and (M)1ð+U = Σ Ni .
i=1
k
(M The upper part of M is the sum of the square of messages, i.e.,
ð +U+1
a2 = l — µ2 .
S
B. Correctness (M)k = Σ N2 .
Here, we examine the correctness of the ð+U+1 i
statistic information evaluated by the proposed scheme. We i=1
consider the case where a client requests the storage server to Recall that the mean µ and the variance a 2 of l messages N1 ,
evaluate the mean and the variance of l messages {N1 , …, …, NS are computed as
NS }. Recall
that each message Ni is stored in the server's storage in an S
encrypted form as described in the above, and thus 1
the ciphertext of Ni is µ = · Σ Ni
l i=1
Ci = ri N (1 + Mi N)NOd N 2 and
 S
1 MO = N2O · 2ð+U + NO
a2 = · Σ(Ni — µ)2 .
l i=1
It is widely known that the variance also can be computed as
S S 2
1 1
2 2
a = · Σ Ni — · Σ Ni ) .
l ( l i=1
i=1
Hence, the client can evaluate the mean and the variance from
the recovered M as following:
ð+
µ = M)
1U
l condition is also applied to the sub-routine algorithm A, which
and
k
(M
ð +U+1
a2 = l — µ2 .
C. Security
It is well-known that any homomorphic encryption
schemes cannot be secure against chosen ciphertext attacks,
and thus we show that the proposed scheme is secure against
chosen plaintext attacks. To prove the security, we will show
that the security of our scheme is guaranteed by a will-known
mathematical hard problem so-called the decisional composite
residuosity assumption. (Refer [17] for detailed analysis on the
problem.) Recall that, in [17], it was shown that the security of
the Paillier-HE scheme is identical with the decisional
composite residuosity assumption. Hence, we will prove the
following theorem by showing that the security of the
proposed scheme is guaranteed by the Paillier-HE scheme.
Theorem 1: The proposed additive homomorphic encryption
scheme is secure if the decisional composite residuosity
assumption holds.
Proof. The proof begins by assuming the existence of an
algorithm A which breaks the semantic security of the
proposed scheme. To prove the statement, it suffices to show
that we can construct an algorithm B which breaks the
semantic security of the Paillier-HE scheme using A.
Suppose that pk = {N, g} is a public key given as a
challenge. Our goal is to break the semantic security of
the Paillier-HE scheme defined by the public key pk =
{N, g}. Since we consider the chosen plaintext attacks, we
assume that B can access to an encryption oracle.
However, anyone can encrypt using publicly known key
information, and thus we can omit detailed explanation for
the oracle. Instead of defining an encryption oracle, let Enc(pk,
m) be the encryption function where pk is a public key and
m is a message. To use the algorithm A as a
subroutine, B additionally chooses two parameters ð and
U which satisfy 3ð + 2U € k and 2k € N € 2k+1 . B gives
ek' = {N, g, ð, U } to the algorithm A. Recall that the
encryption and the evaluation can be performed using
publicly known information, and thus the algorithm A also can
compute the computations as described in Section III-A. After
performing sufficient computations, the algorithm A
may choose two messages NO and N1 from {0,1}ð and output
them to receive a challenge. B computes
and
M1 = N21 · 2ð+U + N1
and outputs MO and M1. Then, for randomly chosen bit b in
{0,1}, a ciphertext is generated as C=Enc(pk, Mb) and given to
B as a challenge. B forwards C to A. A will return a bit b' by
guessing the bit b which is used for generating the challenge C.
Then, B returns b', too. It remains to estimate the success
probability of B. Recall that the goal of the algorithm B is to
break the semantic security of the Paillier-HE scheme, which
implies that the algorithm achieves success if b=b'. The same
implies that the advantage of B is identical with the advantage
of A. Therefore, the semantic security of the proposed protocol
is guaranteed by the security of the underlying scheme since
the existence of an algorithm which can break the proposed
scheme implies the insecurity of the Paillier-HE scheme. □
IV. IMPLEMENTATION CONSIDERATIONS
In this section, we discuss two issues which are important
for the practical use of the proposed scheme. The first issue is
the computational complexity for evaluating statistical
information from encrypted data and the second issue is the
size of available data which was specified by the parameter
$\delta$ in the description of the proposed scheme.
A. Performance
Recall that, as we mentioned in the introduction, the main
contribution of this work is not only to give a new scheme but
also to give a simple but innovative technique which can be
applied to any additive homomorphic encryption for
supporting statistical analysis over encrypted data. To explain
our technique, we use the Paillier-HE scheme which requires
one ciphertext multiplication for performing one addition over
encrypted data. Hence, in the proposed scheme, the storage
server performs n-1 multiplications to help the client whose
goal is to evaluate the mean and the variance of $n$ values.
However, there are some homomorphic encryption schemes
which require one ciphertext addition for performing one
addition over encrypted data [7], [10] 2. If we use such additive
homomorphic encryptions instead of Paillier-HE scheme, the
storage server can help the client by performing n-1 ciphertext
additions instead of n-1 ciphertext multiplications. Since the
proposed scheme does not use any peculiar operation whose
performance cannot be guessed, we omit experimental
performance analysis.
B. Size of parameters
We can use the proposed scheme for any data sets which
satisfy the pre-defined conditions, and the size of parameters
is influenced by the expected security level. We have to use at
least 1024-bit modulus N for 80-bit security. If we expect
2
Though existing integer-based fully homomorphic
encryption schemes use very long key to support the fully
homomorphism. However, if we need only the additive
homomorphism, the key size can be shortened since the key
information is lengthened for the bootstrappability [11].
 higher security, 2048-bit modulus can be used for
C = r N (1 + MN)NOd N 2
achieving 128-bit security. If the level of security is
determined, then we can determine the permitted size for for randomly chosen integer r inN Z× . Note that m’ in
data as follows. Recall that, as defined in Section II-A, {0,1}ð, and thus the encryption algorithm correctly works
we can use the proposed scheme for 2U messages of ð as the original encryption algorithm does. The square of a
-bits information if two parameters hold the following message always positive, and thus there is no modification
conditions: for it.
3δ + 2ν < k and 2k € N € 2k+1. Decryption. Given a ciphertext C and the secret key, the
message can be computed as following:
For 80-bit security, we use 1024-bit modulus N which implies
k=1023. In this case, we can control 327-bit messages when
the number of addition is bounded by 106, which also means M= ß NOd N 2) — 1 –1
(C )·h Nod N.
that we can control any numerical values expressed in 98- N
(
decimals. If we consider stronger security, we can use longer
information. For 128-bit security, we use 2048-bit modulus N The encrypted message can be recovered from M as
which implies k=2047. In this case, we can use the proposed N = (M)1ð+U — 2ð–1 ,
scheme to manage up to 669-bit information when the number
of additions is bounded by 106 . Refer Table I for various and the square of the message is
parameter settings. N2 = (M)kð+U+1 .
TABLE I. PARAMETER SELECTIONS Evaluate the Mean and the Variance. For each message m in
[—2ð–1, 2ð–1 — 1], its ciphertext is computed as
C =Number
r N (1 +ofM NSize
Additions
)NO of d
available
N 2 . data for
80-bits security
Size of available data for
128-bits security
i i i
106 327 bits (98 decimals) 669 bits (201 decimals) for randomly chosen integer r in Z× . Here, the encoded
108 323 bits (97 decimals) 664 bits (200 decimals) i N
1010 318 bits (95 decimals) 660 bits (198 decimals) message is
1012 314 bits (94 decimals) 655 bits (197 decimals)
309 bits (93 decimals) 651 bits (196 decimals) Mi = N2i · 2ð+U + 2ð–1 + Ni .
1014
1016 305 bits (91 decimals) 646 bits (194 decimals)
Let C be the product of all ciphertexts. By decrypting C, we
can obtain
Note that, when a 2048-bit modulus is short for target S S S
application, we can use longer modulus to control much more
2 ð+U
information or longer information. However, as seen in Table M = Σ Mi . = Σ Ni · 2 + Σ(2ð–1 + Ni ).
I, we can control sufficiently large information with 1024-bit i=1 i=1 i=1
or 2048-bit modulus. If we use the proposed scheme for Note that, we have
evaluating the mean and the variance of health related
S S
information such as the height, the weight or the blood
pressure, a 1024-bit modulus is sufficient enough since such (M)1ð+U = Σ(2ð–1 + Ni ) = l · 2ð–1 + Σ Ni ,
information can be expressed by few decimals and the number i=1 i=1
of humans in earth is smaller than 101O [19].
and thus the sum of messages can be computed as
V. VARIATIONS S

In this section, we propose two variations which can Σ Ni = (M)ð+

1 —l·2
U ð–1
.
improve the functionality and the performance of the proposed i=1
scheme. Hence, when negative integers are also included as source
A. The use of negative numbers data, the mean and the variance of target data are evaluated
as following:
Note that any negative numbers cannot be controlled by
the proposed scheme since the subtraction is not permitted in 1
M)ð+U — l ·
the current form. However, we can control negative numbers 2ð–1 µ =
by modifying the message encoding method. The modified l
description is as follows. and
Key Generation. Identical with the key generation algorithm (M k
described in Section III-A. 2
a =
ð +U+1
— µ2 .
l
Encryption. In this modification, the message m is chosen B. Batch computation
from [—2ð–1, 2ð–1 — 1], and it is encoded as
As seen in Table I, the proposed protocol can control large
M = N2 · 2ð+U + N’ integer which does not generally exists in real world
application. Based on this observation, we can extend the idea
where N' = 2ð–1 + N. Then, the encryption of m is of the proposed scheme to evaluate the means and the
variances for multiple data at once. Here, we assume that all TABLE III. PARAMETER SELECTIONS FOR BATCH COMPUTATION (N=10)
data has the same size. Note that, in this section, we did not
Number of Size of available data for
consider negative integers for the simplicity of explanation. Additions 80-bits security
Key Generation. As in Section II-A, the public key (N, g) and 105 23 bits (6 decimals)
the corresponding secret key λ=φ(N) are generated. Let 106 20 bits (6 decimals)
107 18 bits (5 decimals)
ð be the bit-size of the data, B (< 2U ) be the upper bound 108 16 bits (4 decimals)
of the number of addition, and n be the number of data 109 14 bits (4 decimals)
types to be controlled at once. The message space 11 bits (3 decimals)
1010
can be expressed in vector form as
Size of available data for
128-bits security
57 bits (17 decimals)
54 bits (16 decimals)
52 bits (15 decimals)
50 bits (15 decimals)
48 bits (14 decimals)
46 bits (13 decimals)

M = {˛0_,1_}_ð_×_.…_× {0_,_1}¸ð Note that, for each substring Mi, the addition of encrypted
n tiNec data is supported in an encrypted form. Since the correctness
Three parameters ð, U , and n are chosen so that they hold of the property can be easily explained as in Section III-B, we
the following condition: omit detailed discussion for the issue.
n(3δ + 2ν) < k One remained issue for the above variant is the size of
k k+1 controllable data along with the number of data to be
when 2 € N € 2 . controlled in a batch manner. In Table II and III, we give
Encryption. Let (N1 , …, Nn ) in M be a message vector given various parameter settings for the case where 5 and 10 data set
for encryption. The message vector is encoded as have controlled at once.
n VI. CONCLUSION
M = Σ Mi · (23ð+2U )i–1 In this paper, we have proposed a practical homomorphic
i=1 encryption scheme for statistical analysis over encrypted data.
The proposed scheme can be used to evaluate some useful
where
statistical values such as the mean and the variance. The
Mi = Ni2 · 2ð+U + Ni scheme is not fully homomorphic, and it supports only the
addition operation differently from existing techniques which
for i = 1, …, n. Then, the encryption of (N1 , …, Nn ) is can be used for evaluating the same statistical values. We also
C = r N (1 + MN)NOd N 2 give two additional techniques for dealing with negative
integers and the batch computation of multiple information. In
for randomly chosen integer r in ZN× . the literature, the proposed scheme is the first additive
Decryption. Given a ciphertext C and the secret key, one can homomorphic encryption scheme that can be used to generate
recover M as in the previous section. Note that meaningful statistical values. Moreover, the main idea used in
our technique can be applied to any additive homomorphic
(3ð+2U)i
Mi = (3ð+2U)(i–1)+1
encryption, which implies that any additive homomorphic
(M) encryption can be modified so that it can support statistic
for i =1, …, n. Then the i-th component of the encrypted applications.
message vector and its square are computed as followings:
(3ð+2U)i–2ð–U ACKNOWLEDGMENT
Ni = (M)ð+
1
U
= (M) (3ð+2U)i–3ð–2U+1
This work was supported by ETRI R&D program
and (15ZS1500) and Next-Generation Information Computing
(3ð+2U)i
N2 = (M)3ð+2U = (M) . Development Program through the National Research
i ð+U+1 (3ð+2U)i–2ð–U+1 Foundation of Korea(NRF) funded by the Ministry of Science,
ICT & Future Planning (Grant No. 2011-0029925).

TABLE II. PARAMETER SELECTIONS FOR BATCH COMPUTATION (N=5)

Number of Size of available data for Size of available data for
Additions 80-bits security 128-bits security REFERENCES
105 57 bits (17 decimals) 125 bits (37 decimals)
106 54 bits (16 decimals) 123 bits (37 decimals) [1] Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic
107 52 bits (15 decimals) 120 bits (36 decimals) encryption from (standard) LWE”, in: IEEE 52nd Annual Symposium
on Foundations of Computer Science, FOCS, IEEE Computer Society,
108 50 bits (15 decimals) 118 bits (35 decimals)
2011, pp. 97-106.
109 48 bits (14 decimals) 116 bits (35 decimals)
46 bits (13 decimals) 114 bits (34 decimals) [2] Z. Brakerski and V. Vaikuntanathan, “Fully Homomorphic Encryption
1010 from Ring-LWE and Security for Key Dependent Messages”, in: 31st
annual conference on Advances in cryptology, CRYPTO, Springer-
Verlag, 2011, LNCS 6841, pp.505-524.
[3] D. Boneh, E. Goh, and K. Nissim, “Evaluating 2-DNF formulas on
ciphertexts”, in: Second international conference on Theory of
Cryptography, TCC, Springer-Verlag, 2005, LNCS 3378, pp. 325-341.
[4] C. Bosch, P. Hartel, W. Jonker, and A. Peter, “A Survey of Provably
Secure Searchable Encryption”, Journal ACM Computing Surveys 47
(2) (2015) 491-500.
[5] K. D. Bowers, A, Juels, and A. Oprea, “Proofs of Retrievability: Theory
and Implementation”, in: ACM workshop on Cloud computing security,
CCSW, ACM, 2009, pp. 43-53.
[6] J. H. Cheon, J.-S. Coron, J. Kim, M. S. Lee, T. Lepoint, M. Tibouchi,
and A. Yun, “Batch Fully Homomorphic Encryption over the Integers”,
in: 32nd Annual International Conference on the Theory and
Applications of Cryptographic Techniques, EUROCRYPT, Springer-
Verlag, 2013, LNCS 7881, pp. 315-335.
[7] J. H. Cheon, H. T. Lee, and J. H. Seo, “A New Additive Homomorphic
Encryption based on the co-ACD Problem”, in: 2014 ACM SIGSAC
Conference on Computer and Communications Security, CCS, ACM,
2014, pp. 287-298.
[8] J.-S. Coron, A. Mandal, D. Naccache, and M. Tibouchi, “Fully
Homomorphic Encryption over the Integers wth Shorter Public Keys”,
in: 31st annual conference on Advances in cryptology, CRYPTO,
Springer-Verlag, 2011, LNCS 6841, 487-504.
[9] J.-S. Coron, D. Naccache, and M. Tibouchi, “Public Key Compression
and Modulus Switching for Fully Homomorphic Encryption over the
Integers”, in: 31st Annual International Conference on the Theory and
Applications of Cryptographic Techniques, EUROCRYPT, Springer-
Verlag, 2012, LNCS 7237, pp. 446-464.
[10] M. van Dijk, G. Gentry, S. Halevi, and V. Vaikuntanathan, Fully
Homomorphic Encryption over the Integers, in: 29th Annual
International Conference on the Theory and Applications of
Cryptographic Techniques, EUROCRYPT, Springer-Verlag, 2010,
LNCS 6110, pp. 24-43.
[11] C. Gentry, “Fully homomorphic encryption using ideal lattices”, in: 41st
annual ACM symposium on Theory of computing, STOC, ACM, 2009,
pp. 169-178.
[12] C. Gentry, S. Halevi, “Implementing gentry's fully-homomorphic
encryption scheme”, in: 29th Annual International Conference on the
Theory and Applications of Cryptographic Techniques, EUROCRYPT,
Springer-Verlag, 2010, LNCS 6632, pp. 129-148.
[13] C. Gentry, S. Halevi, and N. P. Smart, “Fully Homomorphic Encryption
with Polylog Overhead”, in: 31st Annual International Conference on
the Theory and Applications of Cryptographic Techniques,
EUROCRYPT, Springer-Verlag, 2012, LNCS 7237, pp. 465-482.
[14] C. Gentry, S. Halevi, V. Vaikuntanathan, “A simple BGN-Type
cryptosystem from LWE”, in: 29th Annual International Conference on
the Theory and Applications of Cryptographic Techniques,
EUROCRYPT, Springer-Verlag, 2010, LNCS 6110, pp. 506-522.
[15] S. Halevi, D. Harnik, B. Pinkas, and A. Shulman-Peleg, “Proofs of
Ownership in Remote Storage Systems”, in: 2011 ACM SIGSAC
Conference on Computer and Communications Security, CCS, ACM,
2011, pp. 491-500.
[16] K. Lauter, M. Naehrig, and V. Vaikuntanathan, “Can Homomorphic
Encryption be Practical?”, in: 3rd ACM workshop on Cloud computing
security workshop, CCSW, ACM, 2011, pp. 113-124.
[17] P. Paillier, “Public-Key Cryptosystems Based on Composite Degree
Residuosity Classes”, in: 28th Annual International Conference on the
Theory and Applications of Cryptographic Techniques, EUROCRYPT,
Springer-Verlag, 1999, LNCS 1592, pp. 223-238.
[18] R. L. Rivest, L. Adleman, and M. L. Dertouzos, “On data banks and
privacy homomorphisms”, Foundations of Secure Computation 4 (11)
(1978) 169-180.
[19] http://www.census.gov/main/www/popclock.html