Efficient Public key Homomorphic Encryption Over ... - IEEE Xplore

Download PDF
5 downloads 14328 Views 370KB Size Report
Comment
Keywords-Homomorphic encryption, smaller public key, larger message space ... especially for the security and privacy problems of cloud computing and the ...
Efficient Public key Homomorphic Encryption Over Integer Plaintexts Y Govinda Ramaiah, G Vijaya Kumari Department of Computer Science and Engineering J N T University Hyderabad, India [email protected]

generation algorithm [7][8][12][16] and reduced public key size [8] [16], new schemes eliminating the step 2 of the above blueprint [9][13], elimination of the bootstrapping process [11], extension to larger message space [15] and SHE that can evaluate low degree functions efficiently [14]. For many applications in practice, an SHE scheme, such as the one proposed in this paper, is sufficient for encrypted data processing [9][10][14]. The proposed public key homomorphic encryption scheme can be considered as an efficient and practical variant of the DGHV SHE scheme [4]. The public key size of the proposition is Õ(n4) and, the overall computational complexity is Õ(n8). The plaintext space is a ring ℤR, where R is an n-bit integer. This extension to integer plaintext encryption or larger message space reduces the message expansion ratio from n5 of the existing schemes to n3. Due to this, the multiple carryovers and the associated complexities involved during a circuit (or the corresponding function) evaluation are mitigated. Roughly, if an Õ(n)-bit integer is encrypted, the improvement in the efficiency of circuit evaluation is of the same order. Also, the smaller public key requires lesser storage space and network communication complexity. The security of the proposed scheme is based on the hard problem of solving the two-element Partial Approximate Greatest Common Divisor (PAGCD), and the improvement in efficiency of the scheme is analyzed to show its practicality.

Abstract— Fully Homomorphic Encryption has become a hot research topic in light of the privacy concerns related to the emerging cloud computing paradigm. Existing fully homomorphic schemes are not truly practical due to their high computational complexities and huge message expansions. Targeting the construction of a homomorphic encryption scheme that is implementable for at least certain class of applications, this paper proposes a Somewhat Homomorphic public key encryption scheme, which can be viewed as a variant of the scheme devised by Van Dijk et.al, extended to larger message space. The proposed scheme is compact, semantically secure with significantly smaller public key, and is capable of encrypting integer plaintexts rather than single bits, with comparatively lower message expansion and computational complexities. Keywords-Homomorphic encryption, smaller public key, larger message space, cloud security, privacy

I.

INTRODUCTION

A Homomorphic Encryption Scheme supports “processing the data while it is encrypted”. The research on the topic has gained momentum after Craig Gentry’s first construction of a Fully Homomorphic Encryption (FHE) scheme based on algebraic lattice theory in the year 2009 [1][2]. This breakthrough work has become an attractive solution, especially for the security and privacy problems of cloud computing and the related applications. An FHE is algebraically homomorphic, supporting unlimited additions and multiplications of ciphertexts, due to which it attains the capability to compute arbitrarily any function on the encrypted data [1][2][5]. The initial construction of Gentry’s FHE [1] [2] consists of a 3-step blueprint, which includes, 1) Constructing a Somewhat Homomorphic Encryption (SHE) scheme that supports many additions and few multiplications 2) Squashing the decryption function of the SHE, and finally 3) Obtaining the FHE (Bootstrapping) [5]. FHE schemes that follow the Gentry’s blueprint [3][4][10] are inefficient and impractical because of the huge difference between the computational complexities of processing the ciphertexts and the corresponding plaintexts [11]. The major contribution to this high complexity is by large message expansion and the ciphertext refreshing Recrypt procedure during the bootstrapping. Targeting the Gentry’s scheme and its variants, several works have been reported during the past couple of years suggesting optimizations [6], improvement to the key

978-1-4673-2588-2/12/$31.00 ©2012 IEEE

II.

PRELIMINARIES AND THE DGHV SCHEME

Let ℤ denote the set of integers. Lower case italic letters are used to denote the various parameters employed in the scheme, upper case letters are used to denote the integers and real numbers, and bold upper case letters are used to denote the sets. Let Z and P be two integers. The quotient resulting from the division Z/P is designated by QP(Z), which is defined as ⌊Z/P⌉, where ⌊X⌉ indicates rounding of the real number X to the nearest integer, which is unique in the open interval (X-0.5, X+0.5]. Also, the remainder resulting from the division Z/P is designated by RP(Z). To represent the modulo operation of Z with respect to P, the notation [Z]P or Z mod P is used, which results in RP(Z). Thus, RP(Z) = Z - QP(Z).P, and since QP(Z) is defined by rounding to the nearest integer, RP(Z) ∈ (-P/2, P/2], particularly when P is an odd integer.

123

g

The logarithm of X to the base 2 is simply designated as lg X.

generalized circuit and f be the corresponding multivariate polynomial. Apply GCKT over (C1,…..,Ck), and output the g g resulting ciphertext C = f (C1,…..,Ck) . The size of the public key is Õ(n10). This is because the public key consists of t = Õ(n5) integers each of size g = Õ(n5). The homomorphism of the scheme lies in the fact that, the multiplication or addition of two near multiples of an integer (the secret key P) results in another near multiple of that integer. We have, C = [M+2(B+S)] mod X0 = M + 2B’ + PQ’, for some integers B’ and Q’. It can be seen that the term, say N = M + 2B’ r. In view of, obtaining sufficient homomorphism, the correctness of the scheme and its security, the parameter setting suggested by [4] claiming a complexity of Õ(n10) is, e = Õ(n2), r = n, d = 2n, g = Õ(n5), and t = g + n. With respect to these, the public key DGHV scheme, which consists of four algorithms KeyGen, Encrypt, Decrypt and Evaluate is obtained as follows. KeyGen(n): Choose a random e-bit odd integer from the right e-1 e open interval [2 , 2 ) as the secret key P. For i = 0,1,….., t g Choose a random integer Qi from the interval [0, 2 /P), another r r integer Ri from the open interval (-2 , 2 ), and compute Xi = PQi + Ri until the conditions X0 > X1,…., Xt , X0 mod 2 = 1, and (X0 mod P) mod 2 = 0 are satisfied. Output the public key PK = (X0, X1,….., Xt) and the secret key SK = P. d d Encrypt(PK, M ∈ {0, 1} ): Choose an integer B from (-2 , 2 ) to add noise for encryption. Choose a subset J ⊆ {1,…..t}. Compute the sum S = ∑i ∈J Xi . Output the ciphertext as C = [M + 2(B + S) ] mod X0. Decrypt(SK, C) : Compute M = ( C mod P ) mod 2. Evaluate(PK, BCKT, (C1,…..,Ck) ): Let BCKT be the binary circuit to be evaluated representing a boolean function f, with XOR gates and AND gates (i.e., BCKT consists of mod-2 addition and multiplication gates). Replace the XOR gates and AND gates of BCKT with addition and multiplication gates that operate over integers. Let GCKT be the resulting

III.

PROPOSED HOMOMORPHIC ENCRYPTION SCHEME

In addition to the various parameters used in the DGHV scheme as discussed in the previous section, three more parameters are used in our proposition. The parameter p is used to denote the size of the plaintext integer to be encrypted, which may be taken as O(n). Parameter e’ is the size of another secret key integer R, the multiple of which is the additive error in the public key element X1. To allow sufficient number of homomorphic operations over the plaintexts, e’ is taken as ≥ p.Ѳ(n lg2 n). The parameter e is the bit length of the secret key integer P. To support homomorphism for sufficiently deeper circuits, e is taken as ≥ e’. Ѳ(n lg2 n). Parameter g is the number of bits in each of the public key integers. More precisely, it is the bit length of the factor Q used to obtain the multiples of P in the public key. Since the public key consists of only two elements, the attacks related to

124

the two-element PAGCD problem only are considered [16]. In view of this, it is sufficient to satisfy the condition g > e. Hence, we take g = ω(e lg n). Corresponding condition assumed in [4] to thwart lattice based attacks on the Approximate Greatest Common Divisor (AGCD) problem with some arbitrary t number of elements is, g > e2. The parameter r’ is the size of the factor R’ used to obtain the multiple of R in X1, and r’ is taken as ω( lg n) to avoid bruteforce attacks against it. The bit length of the random perturbation noise integers Ni used during the encryption is denoted with s. To thwart the brute-force attack against Ni, s should be ω( lg n). In view of the correctness, homomorphism and security of the scheme, the suggested theoretical parameter setting is : p = O(n), e’ = Õ(n2), e = Õ(n3), g = Õ(n4), s = 3n,and r’ =n. With this, the proposed public key homomorphic encryption scheme over larger message space, hence denoted as HEL, contains four algorithms as follows.

A. Validation of the proposed scheme The notion of permitted circuit [1][2][4] is helpful in proving the correctness and homomorphism of the scheme, which can be defined as follows for the scheme HEL proposed. Permitted Circuit: An arithmetic circuit with addition and multiplication gates, corresponding to the polynomial to be evaluated, is called as a permitted circuit for the scheme HEL (e’+αs) if, for anyα ≥ 1 and any set of integer inputs each ≤ 2 in absolute value, the maximum absolute value output by the e-2 circuit is at most 2 . The set of permitted circuits is denoted as CKTp. Theorem 1. The public key encryption scheme HEL = (KeyGenL, EncryptL, DecryptL, EvaluateL) is correct, compact and is algebraically homomorphic for the given integer p-1 p-1 plaintext M ∈ℤ∩[-2 , 2 ) and for any circuit CKT ∈ CKTp.

KeyGenL(n): Choose two random odd integers P and R of size $

e-1

e

$

 (2ℤ+1)∩[2 , 2 ) and R ←   e and e’ respectively. i.e., P ← e’-1 e’ (2ℤ+1)∩[2 , 2 ). Choose two g – bit random integers Q0, $

g

ℤ∩[0, 2 / P), for i = 0,1. Take a Q1. For this, sample Qi ← r’-1

$

r’

 ℤ∩[2 , 2 ). Compute X0 = PQ0, X1= random integer R’ ← PQ1+RR’. Output the secret key, SK = (P, R) and the public key, PK = (X0 , X1). p-1

p-1

EncryptL(PK, M∈ℤ∩[-2 , 2 )): Choose the plaintext integer p-1 p-1 M to be encrypted from [-2 , 2 ). Choose two s-bit random integers N1, N2, so that N2 > N1, and N2 is an even number. $

s-1

s

ℤ∩[2 , 2 ), for i = 1, 2. Compute For this, sample Ni ← X2 = [N1X1] mod X0. The ciphertext C = [M+N2X2] mod X0. Note: Choosing N2 as a random even number is only to facilitate in reducing the security of the scheme to the two-element PAGCD problem (Theorem 2). For better security N2 can be any s-bit random number. DecryptL(SK, C): The plaintext integer M = [C mod P] mod R. EvaluateL(PK, CKT, (C1,…..,Ck)): Let, CKT be the arithmetic circuit to be evaluated corresponding to a multivariate polynomial f with k variables. Given k ciphertexts C1,…..,Ck corresponding to the plaintext integers M1,…..,Mk, perform each addition and multiplication operations of CKT over them modulo X0 and output the resulting ciphertext C. Therefore, for any two ciphertexts C1 and C2 during the circuit evaluation, every addition and multiplication operations are performed as, AddL : Compute C = [C1+C2] mod X0, and MulL : Compute C = [C1×C2] mod X0 The ciphertext resulting after the complete evaluation of the circuit is decrypted using the DecryptL algorithm.

125

Proof. Let us consider the fresh ciphertext output by EncryptL. We have, X2 = [N1.X1] mod X0 = N1.(RR’+PQ1) mod X0 = RR’N1+PN1Q1 – K1PQ0 for an integer K1 = RR’N1+P(N1Q1 – K1Q0) = RR’N1+PQ’ Now, C = [M+N2.X2] mod X0 = [M+N2(RR’N1+PQ’)] mod X0 = M+RR’N1N2+P(N2Q’ – K2Q0) for an integer K2 = M+RN+PQ, for some integers N and Q. This C is an approximate multiple of the integer P. From the parameter setting suggested it can be seen that, the maximum absolute p-1 value of the plaintext M suggested for encryption is 2 -1. For correct decryption of a ciphertext, the term (M+RN) should be e-1 e always less than the odd integer P∈[2 , 2 ), and the absolute value of M should be always less than R/2 for the odd integer e’-1 e’ R∈[2 , 2 ). This is because, the modular reduction of C with P should produce (M+RN) and modular reduction of (M+RN) with R should give correct M along with its sign. Since for the chosen parameters we have p