2017 IEEE International Symposium on Parallel and Distributed Processing with Applications and 2017 IEEE International

Conference on Ubiquitous Computing and Communications (ISPA/IUCC)

Secure Cloud Computing: Communication Protocol

for Multithreaded Fully Homomorphic Encryption
for Remote Data Processing
Alexander Oppermann, Federico Grasso Toro, Jean-Pierre Seifert
Artem Yurchenko Security in Telecommunications
Department 8.5 Metrological IT Technische Universitat Berlin
Physikalisch-Technische Bundesanstalt (PTB) Berlin, Germany
Berlin, Germany Email: [email protected]
Email: [email protected]

Abstract—A significant disadvantage of fully homomorphic where multiplication and addition in the encrypted domain are
encryption is the long periods of time needed to process encrypted feasible.
data, due to its complex and CPU-intensive arithmetic techniques. The LSIM (LibScarab extended for Integer arithmetics and
In this paper, a communication protocol is developed to ensure
authenticity, integrity and privacy of measurement data across a Multithreading) is based on the LibScarab implementation [11]
distributed measuring system. The fully homomorphic encryption and extends it for integer arithmetics. It uses zero compar-
library LibScarab was extended by integer arithmetics, compar- isons, parallelization and massive multithreading of arithmetic
isons, decisions and multithreading to secure data processing. operations to specifically suit the needs of tariff applica-
Furthermore, it enhances 32 and 64-bit arithmetic operations, tions (TAF) for smart meter gateways (SMGW). Nevertheless,
improving them by a higher factor. This extension is integrated
into a cloud computing architecture establishing privacy by LSIM should be widely applicable in other areas as well where
design. The resulting parallelized algorithm solved the time fast integer and fixed-point arithmetics are required.
constraint issues for smart meter gateway tariffs. Several tests This paper is organized as follows: Section II describes the
were performed, fulfilling tariff specifications, where preserving related work and gives an overview of the available algorithms.
privacy of accumulated data was necessary. It was concluded
The use cases and communication protocol are presented in
that this extension of the fully homomorphic encryption library
meets the requirements of real world applications. Section III. Afterwards, Section IV details the used library and
the authors’ contributions. Section V comprises performance
I. I NTRODUCTION tests. Finally, the summary and planned future work are
In this paper, a communication protocol is developed to provided in Section VI.
ensure authenticity, integrity and privacy of measurement
data across a distributed measuring system within the cloud II. R ELATED W ORK
computing architecture. By creating a signature for fully In FHE schemes, all arithmetic operations, especially mul-
homomorphic encryption (FHE) all parts of the distributed tiplications, add noise to the encrypted data, a concept called
measuring system (sensor, processing, display) can be verified bootstrapping was introduced by Gentry [5] in order to reduce
throughout the process. Protecting measurement data and their the noise and allow unlimited number of successive arithmetic
distributed processing by a virtual measuring instrument in operations.
cloud computing [4] poses new challenges. This is achieved by “recrypting” the cipher-text in the
In this scenario, traditional security technologies cannot encrypted domain without giving up security. One receives
guarantee secure centralized processing. Therefore, the authors a new noise-reduced cipher-text for the same clear-text. The
propose an approach to secure the processing within a cloud libraries given in Table I are shortly summarized and describe
computing environment, via FHE [3], which allows processing the related work.
of encrypted data without decrypting them.
A handful of open source libraries has been developed TABLE I: Overview of fully homomorphic libraries
since the first realization of FHE in 2009 by Gentry [5].
Library Language Encryption Scheme Key handling
New algorithms, patterns and optimizations of the original
approach can be found in [6][7][8]. HElib [9] is a very HElib C++ BGV Asymmetric
SEAL C++ Fan & Vercauteren Asymmetric
versatile but complex to handle library. On the other hand, LibScarab C Smart-Vercauteren Asymmetric
there are very lightweight solutions like FHEW [10] and FHEW C LWE Symmetric
LibScarab (see Table I). Only those libraries and schemes that HE R Fan & Vercauteren Asymmetric
implement a fully homomorphic approach are considered, i.e.

0-7695-6329-5/17/31.00 ©2017 IEEE 503

DOI 10.1109/ISPA/IUCC.2017.00084
Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on October 24,2024 at 09:10:36 UTC from IEEE Xplore. Restrictions apply.
 1) HELib: HELib [9] is a C++ implementation of
the homomorphic encryption scheme of Brakerski-Gentry-
Vaikuntanathan (BGV) [12]. It provides Smart-Vercauteren
[8] cipher text packing techniques and Gentry-Halevi-Smart
optimizations. In 2015, the library was extended to include
bootstrapping, which allows cipher text refreshes in the en-
crypted domain. Very flexible and configurable but at the
same time quite complex to handle for non-experts, it provides
low-level routines like set, add, multiply, shift,. Furthermore,
it is highly optimized for single instruction multiple data
(SIMD) operations, which are unrewarding for our application
scenarios, since the library cannot compare numbers in the
encrypted domain. While testing it with small numbers for the
security parameters, the memory usage for 6 multiplications
on 7-bit integers amounted to over 6 GBytes. The library is
still under active development.
2) SEAL: The Simple Encrypted Arithmetic Library
(SEAL)[13] is being developed by the Microsoft Research
Group and originally implemented the YASHE scheme. In
the most recent version, the scheme was switched to Fan
and Vercauteren [7]. In the tested version 2.1 of the library it
supported only leveled homomorphism, i.e. by using modulus
switching, one can only perform a predefined amount of
multiplications. Since a flexible approach is needed for the
targeted application scenarios, it would be counter-productive
to limit the amount of operations by the library beforehand.
The library itself is well documented and relatively easy to
use, but it is restricted to a Microsoft Windows environment.
In addition, it does not support bootstrapping and comparisons
in the encrypted domain.
3) LibScarab: LibScarab is a C implementation of the
Smart-Vercauteren scheme [6] created by Perl, Brenner and
Smith [11]. It supports bootstrapping, XOR as well as AND
operations on single bits. The library is easy to use, along
with a clear and compact structure. It is clearly structured
and easy to extend. The authors had to port the library to
the latest FLINT 2.5.2, GMP 6.1.1 and MPFR 3.1.5 libraries,
since LibScarab was last updated in 2013 and does not support
multi-threading out of the box. A recrypt operation is executed
automatically after every arithmetic operation.
4) FHEW: The “Fastest Homomorphic Encryption in the
West” (FHEW) [10] is a C implementation of the Learning
With Errors (LWE) scheme. It uses a symmetric key, i.e.
the same key is used for encryption and decryption. It also
offers bitwise encryption and NAND-Gates. Because of the
symmetric key procedures this library is unsuitable for the
envisioned application scenarios (see Table V). This library
was last updated in 2015.
5) Homomorphic Encryption (HE): The Homomorphic En-
cryption (HE) [15] is a package for the statistic language R
and implements a scheme from Fan and Vercauteren [7]. The
R package itself is a wrapper for the arithmetic functions
written in C/C++. While easy and intuitive to use, it lacks
bootstrapping and therewith the possibility for a cipher-text-
refresh, preventing running several multiplications consecu-
tively, making it not practical for the application scenarios.
504
Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on October 24,2024 at 09:10:36 UTC from IEEE Xplore. Restrictions apply.
III. U SE C ASES AND C OMMUNICATION P ROTOCOL
Classical security approaches use encryption to ensure pri-
vacy and signatures for verifying the authenticity of messages.
These attempts aim for securing the communication between
two endpoints. In the cloud computing context, the atten-
tion shifted to secure computation (see Figure 1). Classical
encryption is static, thus messages have to be decrypted
first before being able to be processed. Similar conditions
apply for classical signature schemes. They are designed for
static messages. In order to verify remote computation, a
proof is needed for correct and trustworthy results. Verifiable
Computing demands that the evaluation of an interactive proof
[16] needs to be more compact than the actual computation.
FHE offers an elegant way to ensure privacy by design since
it prevents clear-text information leaks. While externalizing
confidential processes to the cloud, industry places little trust
in external service providers. The authors chose FHE over a
homomorphic signature scheme not only to help solving this
conflict, but it also offers a more powerful, practical and flex-
ible approach to secure remote computing. Furthermore, there
are several approaches that combine homomorphic encryption
with verifiable computation [17][18], so that it is still feasible
at a later time to integrate verifiable computation with this line
of research.
A. Communication Protocol
An overview of the proposed communication protocol is
described in detail below (see Figure 2). It has been developed
to ensure a distributed, authentic and secure communication
using FHE to secure the computation within a cloud comput-
ing architecture. The parts of sensor, processing and display
correlate in the protocol as the following three sections: Client
(Steps 1-7), Server (Steps 8-14) and Receiver (Steps 15-22).
The client generates the Public Key Pk and Secret Key
Sk . The Sk will be send via a secure channel directly to the
trustworthy receiver (Steps 4-6), in order to be able to decrypt
the encrypted measurements results (Step 18) produced by the
cloud (server). With the Public Key the client encrypts the
Fig. 1: Overview of different security techniques and their area
of application
   
  LSIM client-server communication protocol (overview)

  

Input: Measurement data m1 . . . mn , Encryption Parameter

  eP , Public Key Pk , Secret Key Sk , upload/download usable
bandwith (U,D), index of elements i = 1 . . . n
Output: Measurment results mr1 . . . mrn
      1: Client:
2: creates measurement data mi
  
   
3: encrypts measurement data and index twice:
  

 

  ci ← mi and ci ← mi ,
   index vi ← i and vi ← i
  
note: ci = ci but dec(ci ) = dec(ci ), vi = vi but dec(vi ) =
dec(vi )



4: repeat
Fig. 2: Overview of encrypted communication protocol 5: send Sk to trustworthy receiver,
6: until key exchange is successful
7: sends two encrypted messages with ci , vi and ci , vi to the
same measurement twice and sends them to the Cloud. This server, respectively
procedure 8: Server:
creates the simplest form of a signature to ensure authen- 9: checks certificate and the origin of messages
ticity and integrity of the measurement results. 10: if check is successful then
Even though homomorphic encryption usually aims at en- 11: process data
suring data privacy [5], it may be used in other areas and → ci and ci will be treated the same
for other purposes as well. A potential attacker trying to 12: compute ri and ri , respectively
manipulate the measurement results from within the cloud 13: else
computing architecture will face no clear-text processing and 14: throw data away, → error message to logbook
thus can only tamper randomly a measurement or the attacker 15: Receiver:
consequently manipulates all measurement data in the same 16: authenticates against server
way. If the first approach is chosen the receiver will detect the 17: pulls measurement results from server
manipulation (Step 19) and discard the measurement result. If 18: decrypts measurement results and index with Sk
all measurements are tampered in the same way only test data 19: if dec(ri ) = dec(ri ) and dec(vi ) = dec(vi ) then
with a known outcome can detect this kind of manipulation. 20: no manipulation and mri is correct
Implementing aperiodic test runs with precalculated data will 21: else
decrease the possibility for an attacker to stay undetected for 22: throw measurement data away,
a long period. return error message to logbook
If homomorphic encryption is carefully combined with test- f lag measuring system failure.
ing a running algorithm via precalculated test data, even such
random effects may be detected. Subsequently, the scheme
detailed here [3] may be used to achieve a certain degree of an energy amount are combined to form a price to be paid.
robustness towards algorithm and data manipulation, too. Finally, comparisons of input values are essential to realize
B. Required Logical and Arithmetic Operations. input- and time-dependent switching statements.
The implemented algorithm described in Section IV aims
at realizing the SMGW’s tariffing functionality, with suitable C. Required time for processing.
computation capacity without realizing additional protective The SMGW performs two tasks: Accumulation of mea-
measures. This approach can be easily applied to many other surement data and monthly reading of the accumulated mea-
measuring systems, performing similar price calculations such surement data according to the chosen SMGW tariffs. The
as: encrypted data coming from the meters need to be processed
• addition, subtraction, multiplication, division, in the cloud. In order to guarantee privacy of the measurement
• comparison, data FHE is used.
• input-dependent source selection, A maximum of 32 meters can be connected to a gateway
• input-dependent destination selection. simultaneously and since every 15 minutes new measurement
The addition operation is needed to add new energy values data arrive, therefore the accumulation has to be processed
to an existing tariff register. Subtraction, division and negative under 15×60sec
32 = 28seconds. Due to the non feasibility of
numbers are required to calculate the current energy flow (the the parallelization of the accumulation process, since there
power) based on consecutive readings of an cumulative meter. are inter-dependencies between measurements that may have
The multiplication operation is required when a tariff and an effect on the chosen register for subsequent values, the

505

Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on October 24,2024 at 09:10:36 UTC from IEEE Xplore. Restrictions apply.
 monthly retrieval of accumulated register values should be
done at a later time.
Therefore, parallelization can be implemented in the homo-
morphic core operations, like multiplication and addition, as
well as in the monthly reading for the tariffs.
IV. A LGORITHM D ESCRIPTION AND E XTENSIONS
In this section, the extensions of LibScarab are described, in
order to implement the needed algorithms for the application
scenarios TAF 1-4, explained in detail in Table V. In subsec-
tion IV-B, a brief description of addition, multiplication and
division operations is given, as well as simple decision and
comparisons in the FHE environment.
A. Choosing and extending the library
Fully homomorphic encryption schemes support two oper-
ations: addition and multiplication. Depending on the imple-
mented scheme, also a sign change is possible, which enables
subtraction. A lot of simple algorithms are based on these three
operations and thus can be implemented. But nevertheless, no
solution exists for comparing two numbers in the encrypted
domain, which makes it impossible to make a decision in the
encrypted domain and consequently to implement a division
algorithm for example.
One possible way to implement a division algorithm is
to represent numbers as fractions by saving nominator and
denominator separately in order to bypass division. But this
approach does not solve the problem of comparisons in the
encrypted domain. It also seems impossible to render an
unencrypted result from an encrypted operation without giving
up security and privacy. This means that all algorithms should
be either completely deterministic or there should be enough
computing power to calculate all possible results in parallel.
A final decision should always be made in the unencrypted
domain for the targeted algorithms. Since they neither have a
completely deterministic structure nor is the decryption of the
data in an insecure environment an option, a different approach
was pursued replacing integers with binary numbers.
The LibScarab library is a good choice for the prototype,
since it provides all necessary tools without adding too much
complexity. In addition, it is easily configurable yet simple to
modify and to extend. On top of that it is very fast. A “recrypt”
procedure is executed after each operation. Thus, there is
no further need for noise control to fulfill the requirement
of unlimited multiplications as mentioned in Section III. As
already pointed out in Section II-3, the library did not support
multi-threading out of the box, since it was built on old
versions of the libraries FLINT, GMP and MPFR. Therefore,
it was ported to newer versions in order to comply with the
requirements.
B. Implementation of arithmetic operators
Using binary numbers only two operations are left; the
modulo-2-addition which corresponds to an XOR-gate and
a modulo-2-multiplication that corresponds to an AND-gate.
Another operation is the (unencrypted) binary complement of
506
Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on October 24,2024 at 09:10:36 UTC from IEEE Xplore. Restrictions apply.
the encrypted number which corresponds to toggling bits in the
encrypted domain. With these two operations (see Equation 1
& 2) it is possible to derive all the boolean functions and, as
a consequence, to provide arithmetic and logical operations
on encrypted integers, which are represented as arrays of
encrypted bits. The addition, subtraction and multiplication
operations for integers had to be reimplemented according to
the chosen binary word sizes (e.g. 32-bit and 64-bit length).
A ∨ B = ¬(¬A ∧ ¬B) (1)
((1 ⊕ A) = ¬A). (2)
1) Zero-Test of encrypted Integers.: This binary approach
yields the opportunity to implement a zero-test as a simple
bitwise ∨ on all bits of the represented number. The result of
this operation should be complemented to return an encrypted
1 in case the examined number was 0. This corresponds to
a logical NOR operation with 32-bit inputs. The encrypted
result can be directly used as an input for further encrypted
arithmetic and logical operations. To verify the computed
result it has to be decrypted in the end.
2) Comparison of encrypted Integers.: A simple implemen-
tation of a comparator consists of the subtraction of both input
parameters (A − B) and of the sign-evaluation of the result.
This operation delivers two possible results A < B or A ≥ B.
The latter needs to be checked with the help of the zero-test,
so that it can be distinguished between A > B and A = B. If
this clarification is not needed, this approach can be reduced
to the calculation of borrow-bits only, since the result of the
subtraction itself is not important.
3) Simple decisions on encrypted Integers.: It is significant
to highlight that the result of a decision should remain in the
encrypted domain. Therefore, it is not possible to externally
influence the program flow. Nevertheless, simple algorithmic
constructs are feasible based on the result of the comparison or
zero-test operator. These are source and destination selections.
The source selection, on the one hand, is represented by
the following C-construct, which is similar to an if-then-
else-construct with the constraint that only data flow can be
controlled:
Y = (condition)?A : B (3)
To implement this decision a 2:1-multiplexer is required,
which can be described as:
Y = ¬C · A + C · B (4)
where C is the output of the zero-test, the comparison operator
or any other possible boolean equation.
The destination selection, on the other hand, consists of a
demultiplexer and binary adders. The selection is triggered by
a boolean equation (e.g. comparison or zero-test). After the
output selection operation, the selected output or destination
contains the input number and all the other outputs are set to
an encrypted 0. All outputs will be added to the corresponding
registers. All registers are modified, but only one will be
increased by the input value of the demultiplexer. All the

Fig. 3: Tree structure of the optimized adder part
others will be increased by an encrypted 0. It is important to
mention that the addition of an encrypted zero always produces
a different encrypted version of the same number. Hence it is
not possible to say which of the registers are actually changed
by a FHE-operation.
4) Addition of encrypted Integers.: The implementation of
arithmetic circuits is done with special regard to multithread-
ing. A particular challenge was to find a solution with a small
amount of gates and a small circuit depth at the same time.
An analogue problem is known in the field of digital design
as Area-Speed-Tradeoff, since a lower circuit depth usually
results in a higher number of gates used. Each additional gate
needs computing time, thus fast digital circuits have often poor
performance executing homomorphic operations. Especially
for multiplication and division some advanced algorithms
exist, but due to the massive use of multiplexers or lookup-
tables these solutions are not reasonable with respect to the
execution time.
Three different versions of an adder were implemented and
compared. A Carry Look Ahead Adder (CLA) [22] with block
size of 4 and 8 bit, also known as “fast adder” proved to be the
slowest adder within the constraints of this paper. The Carry
Select Adder (CSA) [22] rendered mid-range performance.
The modified Ripple Carry Adder (RCA) [22] revealed the
shortest execution time, since the operations of the first half
adder was executed completely in parallel. The same adder
could be used to implement subtraction, but this would contain
an array of XOR-gates to form the complement. Considering
performance the subtraction was outsourced to a separate
routine, in order to save time during addition operations.
5) Multiplication of encrypted Integers.: Fast multiplica-
tions using higher radix solutions [22][23] require a massive
use of multiplexers or/and operand recoding which are costly
in size as well as time consuming.
In case of conventional binary multiplications, two problems
can be identified: 1.) the generation of the partial products,
2.) their summation. While the generation of partial products
can be carried out completely (bitwise) in parallel, the sum-
mation can only be partially parallelized. A tree structure of
507
Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on October 24,2024 at 09:10:36 UTC from IEEE Xplore. Restrictions apply.
Fig. 4: Multi-threaded combined adder and subtracter
conventional word adders provides insufficient performance.
For this reason, a multi-level bit-wise tree adder is used here
(see Figure 3).
The main principle of a tree adder is that a full adder is used
to add three bits. At the output, one sum bit and one carry bit
are generated. The resulting number, consisting of carry bits,
is shifted one place to the left. Due to the fact that there is
no carry propagation in the case of the 32 partial products
of the multiplication of two 32 bit numbers, 30 (x0 to x29 )
of them can be processed by bit-wise full adders in a bit-
parallel manner in the first stage. The resulting 20 numbers are
supplemented by x30 to deliver 21 numbers and are processed
in the next stage. After several iterations, there are only two
numbers left which are added together by a conventional adder.
The difficulty here is the bitwise addition of the shifted partial
products with respect to the significant bit position, which
requires manual optimization and proper planning of the multi-
threaded operations.
6) Division of encrypted Integers.: The division operation
is the most difficult one to parallelize because of inter-step
dependencies. One possible improvement leading to a reduced
number of iterations is the use of high-radix number systems
to perform the division. Unfortunately, the complexity of each
iteration is also increased in this case. Advanced higher radix
algorithms like Sweeney-Robertson-Tocher (SRT) division
uses lookup-tables and/or a lot of multiplexers [22][23]. These
are very expensive in case of a FHE software implementation,
so that a simpler solution was investigated.
The simplest way to implement the division is the well-
known paper and pencil method adapted to the binary number
system also known as restoring-division [22]. The divisor is
subtracted from the shifted dividend, in case of a negative
remainder the divisor is added back to the remainder and the
result will be shifted. The restoring operation implicates one
extra addition or use of a multiplexer in each iteration. In
contrast to the restoring division the non-restoring-algorithm
requires only one addition or subtraction in each iteration. The
underlying concept can be easily derived from the restoring
algorithm. In case of a negative remainder after one subtraction
the divisor (D) should be added back to the remainder (R)
and the result (S) shifted to the left, i.e. S = 2 · (R + D).
In the next iteration D will be subtracted again: 2 · R + 2 ·
 TABLE II: Overview of key geometry and performance gain in comparison to [11].
key geometry {logν ,S1,S2} key size (kB) keygen (s) speedup recrypt (ms) speedup
384/16/05 1.8/30 1.1 15.5 34 7.7
384/32/16 1.8/60 1.17 11.9 90 3.4
384/64/16 1.8/120 1.24 12 181 3.7
2048/64/16 9.6/626 516 6.1 670 2
4096/64/16 18/1250 5204 2.7 1660 1.9

D − D = 2 · R + D, which is equal to the simple shift of A. Results of homomorphic operations

the negative remainder of the first iteration and replacing of
the subtraction by an addition in the next iteration. Addition
and subtraction are performed by the same boolean circuit
(see Figure 4). The sign-bit of the result is used to select the
operation (addition/subtraction) for the next iteration.
V. E XPERIMENTAL C OMPARISON
This section describes the experimental comparisons that
were conducted on a Linux server with an Intel Xeon CPU
E5-2620 v3 @2.40 GHz, 24 cores and 64GB of RAM. In the
first subsection, key generation, recrypt operation and single
arithmetic operations of FHE are compared, after improving
and extending LibScarab as described in Section IV. The sec-
ond subsections comprises results of the application scenarios
TAF 1-4 that were already outlined in Table V. The speedup
and efficiency are calculated for both single operations as well
as for the tariff applications.
The relative performance gain achieved by parallelization
(speedup) can be measured and is defined in [24] as a metric.
This can be written as:
Ts (n)
S(n) = (5)
Tp (n)
where Ts is the execution time of the best sequential algorithm
for solving the problem and Tp marks the execution time of
the parallelized algorithm using n processing units.
The efficiency is also defined by [24] as a metric that
measures the fraction of time in which a processing unit is
usefully employed. This can be asserted as:
S(n)
E(n) = (6)
n
where S is the speedup for the algorithm (see Equation (5))
1) Key generation and recrypt operations.: While paral-
lelizing the basic arithmetic operations, e.g. addition and
multiplication, it was determined that the speedup factor is
not significant for creating a monic and irreducible polynomial
F (x) with a resultant p being prime (see KeyGen() [6]) in
a multi-threaded environment compared to a single threaded
one, i.e. no relevant time gain for key generation is realized.
The authors assume that performance gain is lost due to the
randomized generation of the polynomials and their evaluation,
because of the great spread of the results and the necessary
synchronization of the threads. Thus, the times stated in
Table II for key generation and recrypt operation are single
threaded. Nevertheless, in comparison to Brenner’s reference
implementation [11] and the stated times for key generation
for 384-bit key length a speed up of 15.5 could be yielded,
i.e. instead of 17 seconds it only took 1.1 second to generate a
key. The main factors are optimizations in the implementation,
modernized libraries as already explained in Section II-3 and
faster hardware than in 2012. The recrypt operation achieved
a speed up factor of 7.7 for the encryption parameter logν =
384, i.e. a recrypt costs only 34ms instead of 263ms. The disk
space for public and private keys does not distinguish from
Brenner’s data.
Brenner’s key geometry consists of three paramters: logν
is the encryption parameter responsible for spanning the
cryptographic space and creating the public key; S1 determines
the elements for the size of the hint inside the public key; S2
determines the number of valid elements in the hint.
2) Arithmetic operations.: By parallelizing the arithmetic
operations the greatest benefit was earned within multiplica-
25.000

20.000
and n marks the number of processing units.
Memory [kB]

15.000

10.000

5.000

0 5 10 15 20 25 30 35 40 45 50
800 Addtion
Multiplication
Time [sec]

600 Division

400

200

0
0 5 10 15 20 25 30 35 40 45 50
Threads [n]

Fig. 6: Plot of single 64 Bit-FHE-operations (Add, Mult, Div)

Fig. 5: Plot of single 32 Bit-FHE-operations (Add, Mult, Div) on a Server with an Intel Xeon CPU E5-2620 v3 @ 2.40 GHz
on a Server with an Intel Xeon CPU E5-2620 v3 @ 2.40 GHz and 64GB RAM.
and 64GB RAM.

508

Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on October 24,2024 at 09:10:36 UTC from IEEE Xplore. Restrictions apply.
 TABLE III: Overview of 32 bit operation results TABLE V: Implemented tariff application scennarios (TAF)
n t (sec) S(n) E(n) in % TAF 1 Tariffs with low data usage, where energy is always billed with
the same price and collected data are only sent at the end of the
Add 1 2 - - billing period requiring no external trigger.
2 2 1 50 TAF 2 Time-dependent tariffs, where energy is billed with different
48 1 2 4 tariffs according to the time at which a certain amount of energy
Mult 1 124 - - is consumed. The switching between tariffs is time-dependent
16 19 6.5 41 but the switching points are static.
48 17 7.3 15 TAF 3 Power-dependent tariffs, where the price does not depend on the
total energy consumed but on the current power consumption
Div 1 196 - - (energy per time interval) The switching into different price
16 126 1.6 10 categories is therefore done according to the value of the current
48 121 1.6 3 measurement result.
TAF 4 Consumption-dependent tariffs, where a new price is used when
tion by a factor of 7.29. In Figure 5 one can see the asymptotic a certain energy budget has been consumed. The budgets are
statically predefined and the condition for assigning new mea-
characteristic of the optimization for the time usage. While surement values to the next price category has to be checked
executing a single thread utilization took 124 seconds for regularly.
a single multiplication, a 48 threads utilization only took
17 seconds for a single multiplication. Considering memory with a speedup of 6.3 and a efficiency gain of 39 % needing
usage, the optimum is reached by utilizing 16 threads with 19 75 seconds.
seconds for a single multiplication with a calculated efficiency Additions in the 64 bit space are optimized by a factor of
gain of 41 % (see Equation 6) and a speedup of 6.53. The 1.6, i.e. needing 5 seconds for one addition using one thread
least significant benefit from parallelization was realized for compared to 48 threads lasting 3 seconds. The optimum is
the addition operation. It is already the fastest operation in the reached for 4 threads with a speedup of 1.3 and a 31 %
encrypted domain needing only two seconds for one addition efficiency. Again addition is the fastest operation.
for a single thread while it could be pushed down to one For the division the same factor of 1.6 could be reached as
second for a single addition utilizing 48 threads. The efficiency for the 32 bit operands. Speaking in absolute numbers it is still
optimum is reached here by using only two threads with a a huge difference from roughly 13 minutes (796 seconds) for
50% efficiency and a speedup of 1 needing two seconds. The a single threaded division compared to about 8 minutes (479
division is traditionally a very complex arithmetic operation seconds) using 48 threads. The optimum is reached using 16
which often has its own compartment on modern CPUs in threads with a speedup of 1.6 and 10 % efficiency needing 8.5
order to optimize its performance. Bearing this in mind for the minutes (497 seconds).
software implementation in the encrypted domain, the benefit
through parallelizing the division operation was achieved by a B. Results of application scenarios
factor of 1.6. This means that a single thread for one division In contrast to the tests performed in Subsection V-A where
took 196 seconds while this was reduced to 121 seconds only arithmetic operations are measured, these results cover
utilizing 48 threads. the combination of arithmetic operations and comparisons
The optimum for this operation is reached using 16 threads applied to the application scenarios described in detail in Table
with a speedup of 1.6 with a 10 % efficiency. Similar results V. A recrypt is included after each arithmetic operation to
could be yielded for 64 bit arithmetic operations as one can reduce the noise. The calculations for the application scenarios
be seen in Figure 6. Obviously, more memory was needed are split into accumulating the measurement data (see Figure
for the single arithmetic operations due to the nature of the 7) and summing them up on demand (see Figure 8), e.g. at the
bigger operands. Again, the multiplication benefited the most end of the month. The latter includes the more complex arith-
by a factor of 6.8, needing almost 8 minutes (470 seconds) metic operations and comparisons in the encrypted domain.
for a single threaded multiplication compared to 69 seconds
using 48 threads. The optimum is reached using 16 threads 35

30 TAF 1 accumulation
TAF 2 accumulation
Time [sec]

TABLE IV: Overview of 64 bit operation results 25 TAF 3 accumulation

TAF 4 accumulation
20
n t (sec) S(n) E(n) in % 15

Add 1 5 - - 0 5 10 15 20 25 30 35 40 45 50
10
4 4 1.3 31
Time [sec]

8
48 3 1.7 3
6
Mult 1 470 - -
4
16 75 6.3 39
48 69 6.8 14 0 5 10 15 20 25 30 35 40 45 50
Threads [n]
Div 1 796 - -
16 497 1.6 10 Fig. 7: Plot of accumulating measurement data on a Server
48 467 1.7 3 with an Intel Xeon CPU E5-2620 v3 @ 2.40 GHz and 64GB
RAM.

509

Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on October 24,2024 at 09:10:36 UTC from IEEE Xplore. Restrictions apply.
 600
500
TAF 1 Read out
400 TAF 2 Read out
TAF 3 Read out
TAF 4 Read out
300
200
100
0
0 5 10 15 20 25 30 35 40 45
Fig. 8: Plot of “read out” of the measurement data. Final
calculation for different application scenarios on a Server with
an Intel Xeon CPU E5-2620 v3 @ 2.40 GHz and 64GB RAM.
While TAF 1 and 4 performed very similar in accumulating
measurement data (see Figure 7) in respect to time and
utilizing threads, the gain is 1.3 needing about 5 seconds for
a single thread to only 3.8 seconds utilizing 48 threads. The
optimum is reached using only 4 threads with a speedup of
1.3 and about 30 % efficiency needing 4.2 and 4.3 seconds.
For the monthly “read out” of the summed up measurement
data the application scenarios (see Figure 8) differ more than
for the accumulation process. TAF 1, low data usage, is the
fasted and simplest one gaining factor 7for a single thread
using 123.3 seconds compared to 48 threads consuming only
17.6 seconds. The optimum is reached using 16 threads with
a speedup of 6.3 and a 39 % efficiency needing 19.6 seconds
to finish.
VI. CONCLUSION AND FUTURE WORKS
In this paper, an extension to the fully homomorphic en-
cryption library LibScarab has been presented. After a brief
comparison of the existing encryption schemes, this extension
(LSIM) and its properties were described and evaluated.
LSIM comprises fast integer arithmetic, logic operations and
multithreading. The resulting gain can be as high as a factor of
7.3 for multiplications of 32 bit numbers, with smaller gains
for addition, subtraction and division. The key generation and
recryption were also optimized by a factor of 15.5 and 7.7,
respectively.
Furthermore, a communication protocol has been developed
to prove the functionality of fully homomorphic encryption
within a cloud computing architecture and successfully applied
to real world applications. This protocol ensures authenticity,
integrity and privacy of the measurement results.
Future work will focus on porting LSIM to CUDA /
OpenCL and carrying out tests on graphic cards for mas-
sive multithreading and parallelization. Furthermore, since
OpenMP was utilized for this prototype, it will be interesting
for further investigations to find out if Posix Threads (pthreads)
or a GMP-library optimization will improve parallelization
with respect to computing time.
Additionally, ongoing challenges should be studied, such as
the computing times in comparison with those realized by a
secure hardware solution for FHE.
Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on October 24,2024 at 09:10:36 UTC from IEEE Xplore. Restrictions apply.
R EFERENCES
[1] European Parliament and Council. Directive 2014/32/EU of the Euro-
pean Parliament and of the Council. Official Journal of the European
Union, 2014.
[2] European Parliament and Council. Directive 2009/72/EC of the Euro-
pean Parliament and of the Council. Official Journal of the European
Union, 2009.
[3] Alexander Oppermann, Jean-Pierre Seifert, and Florian Thiel. Secure
cloud reference architectures for measuring instruments under legal
control. 2016.
[4] Fang Liu, Jin Tong, Jian Mao, Robert Bohn, John Messina, Lee Badger,
50 and Dawn Leaf. Nist cloud computing reference architecture. NIST
special publication, 500(2011):292, 2011.
[5] Craig Gentry et al. Fully homomorphic encryption using ideal lattices.
In STOC, volume 9, pages 169–178, 2009.
[6] Nigel P Smart and Frederik Vercauteren. Fully homomorphic encryption
with relatively small key and ciphertext sizes. In International Workshop
on Public Key Cryptography, pages 420–443. Springer, 2010.
[7] Junfeng Fan and Frederik Vercauteren. Somewhat practical fully
homomorphic encryption. IACR Cryptology ePrint Archive, 2012:144,
2012.
[8] Nigel P Smart and Frederik Vercauteren. Fully homomorphic simd
operations. Designs, codes and cryptography, pages 1–25, 2014.
[9] Shai Halevi and Victor Shoup. Algorithms in helib. In International
Cryptology Conference, pages 554–571. Springer, 2014.
[10] Léo Ducas and Daniele Micciancio. Fhew: bootstrapping homomorphic
encryption in less than a second. In Annual International Conference on
the Theory and Applications of Cryptographic Techniques, pages 617–
640. Springer, 2015.
[11] Henning Perl, Michael Brenner, and Matthew Smith. Poster: an
implementation of the fully homomorphic smart-vercauteren crypto-
system. In Proceedings of the 18th ACM conference on Computer and
communications security, pages 837–840. ACM, 2011.
[12] Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (leveled)
fully homomorphic encryption without bootstrapping. ACM Transac-
tions on Computation Theory (TOCT), 6(3):13, 2014.
[13] Kim Laine and Rachel Player. Simple encrypted arithmetic library-seal
(v2. 0). Technical report, Technical report, September, 2016.
[14] Matteo Frigo and Steven G Johnson. The fastest fourier transform in
the west. Technical report, DTIC Document, 1997.
[15] L. J. M. Aslett, P. M. Esperança, and C. C. Holmes. A review of
homomorphic encryption and software tools for encrypted statistical
machine learning. Technical report, University of Oxford, 2015.
[16] Joe Kilian. A note on efficient zero-knowledge proofs and arguments.
In Proceedings of the twenty-fourth annual ACM symposium on Theory
of computing, pages 723–732. ACM, 1992.
[17] Rosario Gennaro, Craig Gentry, and Bryan Parno. Non-interactive
verifiable computing: Outsourcing computation to untrusted workers. In
Annual Cryptology Conference, pages 465–482. Springer, 2010.
[18] Kai-Min Chung, Yael Kalai, and Salil Vadhan. Improved delegation of
computation using fully homomorphic encryption. In Annual Cryptology
Conference, pages 483–501. Springer, 2010.
[19] Marko Esche and Florian Thiel. Software risk assessment for measuring
instruments in legal metrology. In Computer Science and Information
Systems (FedCSIS), 2015 Federated Conference on, pages 1113–1123.
IEEE, 2015.
[20] BSI. Technische Richtlinie BSI TR-03109-1 Anforderungen an die Inter-
operabilität der Kommunikationseinheit eines intelligenten Messsystems.
Bundesamt für Sicherheit in der Informationstechnik, Bonn, 2013.
[21] BSI. Schutzprofil für die Kommunikationseinheit eines intelligenten
Messsystems für Stoff- und Energiemengen (Smart Meter Gateway PP),
Certification-ID: BSI-CC-PP-0073. Bundesamt für Sicherheit in der
Informationstechnik, Bonn, 2014.
[22] Israel Koren. Computer arithmetic algorithms. Universities Press, 2002.
[23] Mi Lu. Modular structure of large multiplier. Arithmetic and Logic in
Computer Systems, 1st ed, New Jersey: John Wiley & Sons, Inc, pages
120–122, 2004.
[24] Ananth Grama, Anshul Gupta, George Karypis, and Vipin Kumar.
Introduction to parallel computing. Pearson Education, second edition,
2003.
510