Efficient Public key Homomorphic Encryption Over Integer Plaintexts

Y Govinda Ramaiah, G Vijaya Kumari

Department of Computer Science and Engineering J N T University Hyderabad, India ygovinda@ieee.org

Abstract Fully Homomorphic Encryption has become a hot research topic in light of the privacy concerns related to the emerging cloud computing paradigm. Existing fully homomorphic schemes are not truly practical due to their high computational complexities and huge message expansions. Targeting the construction of a homomorphic encryption scheme that is implementable for at least certain class of applications, this paper proposes a Somewhat Homomorphic public key encryption scheme, which can be viewed as a variant of the scheme devised by Van Dijk et.al, extended to larger message space. The proposed scheme is compact, semantically secure with significantly smaller public key, and is capable of encrypting integer plaintexts rather than single bits, with comparatively lower message expansion and computational complexities. Keywords-Homomorphic encryption, smaller public key, larger message space, cloud security, privacy

I.

INTRODUCTION

A Homomorphic Encryption Scheme supports processing the data while it is encrypted. The research on the topic has gained momentum after Craig Gentrys first construction of a Fully Homomorphic Encryption (FHE) scheme based on algebraic lattice theory in the year 2009 [1][2]. This breakthrough work has become an attractive solution, especially for the security and privacy problems of cloud computing and the related applications. An FHE is algebraically homomorphic, supporting unlimited additions and multiplications of ciphertexts, due to which it attains the capability to compute arbitrarily any function on the encrypted data [1][2][5]. The initial construction of Gentrys FHE [1] [2] consists of a 3-step blueprint, which includes, 1) Constructing a Somewhat Homomorphic Encryption (SHE) scheme that supports many additions and few multiplications 2) Squashing the decryption function of the SHE, and finally 3) Obtaining the FHE (Bootstrapping) [5]. FHE schemes that follow the Gentrys blueprint [3][4][10] are inefficient and impractical because of the huge difference between the computational complexities of processing the ciphertexts and the corresponding plaintexts [11]. The major contribution to this high complexity is by large message expansion and the ciphertext refreshing Recrypt procedure during the bootstrapping. Targeting the Gentrys scheme and its variants, several works have been reported during the past couple of years suggesting optimizations [6], improvement to the key

generation algorithm [7][8][12][16] and reduced public key size [8] [16], new schemes eliminating the step 2 of the above blueprint [9][13], elimination of the bootstrapping process [11], extension to larger message space [15] and SHE that can evaluate low degree functions efficiently [14]. For many applications in practice, an SHE scheme, such as the one proposed in this paper, is sufficient for encrypted data processing [9][10][14]. The proposed public key homomorphic encryption scheme can be considered as an efficient and practical variant of the DGHV SHE scheme [4]. The public key size of the proposition is (n4) and, the overall computational complexity is (n8). The plaintext space is a ring R, where R is an n-bit integer. This extension to integer plaintext encryption or larger message space reduces the message expansion ratio from n5 of the existing schemes to n3. Due to this, the multiple carryovers and the associated complexities involved during a circuit (or the corresponding function) evaluation are mitigated. Roughly, if an (n)-bit integer is encrypted, the improvement in the efficiency of circuit evaluation is of the same order. Also, the smaller public key requires lesser storage space and network communication complexity. The security of the proposed scheme is based on the hard problem of solving the two-element Partial Approximate Greatest Common Divisor (PAGCD), and the improvement in efficiency of the scheme is analyzed to show its practicality. II. PRELIMINARIES AND THE DGHV SCHEME

Let denote the set of integers. Lower case italic letters are used to denote the various parameters employed in the scheme, upper case letters are used to denote the integers and real numbers, and bold upper case letters are used to denote the sets. Let Z and P be two integers. The quotient resulting from the division Z/P is designated by QP(Z), which is defined as Z/P, where X indicates rounding of the real number X to the nearest integer, which is unique in the open interval (X-0.5, X+0.5]. Also, the remainder resulting from the division Z/P is designated by RP(Z). To represent the modulo operation of Z with respect to P, the notation [Z]P or Z mod P is used, which results in RP(Z). Thus, RP(Z) = Z - QP(Z).P, and since QP(Z) is defined by rounding to the nearest integer, RP(Z) (-P/2, P/2], particularly when P is an odd integer.

The logarithm of X to the base 2 is simply designated as lg X.

The notation X S indicates that X is chosen uniformly from the finite set S. The soft-oh notation f(n) = (g(n)) is used to represent f(n) = O(g(n)lgkg(n)) for some k, ignoring the logarithmic factors and any other smaller additive complexities. An integer N not having prime factors smaller than the integer K, is called a K-rough integer. Any other notation used can be understood from the context and depicted wherever they are used for the first time in the paper. Now, let us review the DGHV Somewhat Homomorphic Encryption over the integers [4]. The sizes (bit length) of various integers used in the scheme are designated by some parameters, which are polynomial in the security parameter n. The parameter e denotes size of the secret key integer. In order to support homomorphism for sufficiently deeper circuits, e is taken as r. (n lg2 n). The distance to the nearest multiple of the secret key integer is termed as noise. The public key consists of t integers each one close to a multiple of the secret integer with some noise (hence called approximate multiples of that secret integer). To use the leftover hash lemma (Lemma 2.1, [4]) in reducing the security of the scheme to solving the Approximate Greatest Common Divisor (AGCD) problem, t is taken as g + (lg n). The parameter r denotes size of the noise in the public key integers. To foil the bruteforce attack against the noise, r is taken as (lg n). The size of the integers in the public key is denoted by g. For security against the lattice based attacks on the underlying AGCD problem, g must be (e2 lg n). The size of the additional noise used during the encryption of a plaintext is designated as d, and d > r. In view of, obtaining sufficient homomorphism, the correctness of the scheme and its security, the parameter setting suggested by [4] claiming a complexity of (n10) is, e = (n2), r = n, d = 2n, g = (n5), and t = g + n. With respect to these, the public key DGHV scheme, which consists of four algorithms KeyGen, Encrypt, Decrypt and Evaluate is obtained as follows.
KeyGen(n): Choose a random e-bit odd integer from the right e-1 e open interval [2 , 2 ) as the secret key P. For i = 0,1,.., t g Choose a random integer Qi from the interval [0, 2 /P), another r r integer Ri from the open interval (-2 , 2 ), and compute Xi = PQi + Ri until the conditions X0 > X1,., Xt , X0 mod 2 = 1, and (X0 mod P) mod 2 = 0 are satisfied. Output the public key PK = (X0, X1,.., Xt) and the secret key SK = P. d d Encrypt(PK, M {0, 1} ): Choose an integer B from (-2 , 2 ) to add noise for encryption. Choose a subset J {1,..t}. Compute the sum S = i J Xi . Output the ciphertext as C = [M + 2(B + S) ] mod X0. Decrypt(SK, C) : Compute M = ( C mod P ) mod 2. Evaluate(PK, BCKT, (C1,..,Ck) ): Let BCKT be the binary circuit to be evaluated representing a boolean function f, with XOR gates and AND gates (i.e., BCKT consists of mod-2 addition and multiplication gates). Replace the XOR gates and AND gates of BCKT with addition and multiplication gates that operate over integers. Let GCKT be the resulting

generalized circuit and f be the corresponding multivariate polynomial. Apply GCKT over (C1,..,Ck), and output the g g resulting ciphertext C = f (C1,..,Ck) . The size of the public key is (n10). This is because the public key consists of t = (n5) integers each of size g = (n5). The homomorphism of the scheme lies in the fact that, the multiplication or addition of two near multiples of an integer (the secret key P) results in another near multiple of that integer. We have, C = [M+2(B+S)] mod X0 = M + 2B + PQ, for some integers B and Q. It can be seen that the term, say N = M + 2B << P is the noise, i.e., the distance to the multiple PQ in which plaintext bit M is embedded. This noise makes C an approximate or near multiple of P. Therefore, in decryption, C mod P results in N, and N mod 2 gives the plaintext bit M. Consider two ciphetexts, C1= N1+PQ1 and C2= N2+PQ2. During Evaluate an addition operation gives C1+C2 = (N1+N2)+PQa and multiplication gives C1C2 =(N1N2)+PQm , for some integers Qa and Qm . Again, both C1+C2 and C1C2 are near multiples of P. It is easy to see that for correct decryption we should get [C1+C2] mod P = N1+N2, and [C1C2] mod P = N1N2. That means, the term corresponding to the noise after Evaluate (which involves many such additions and multiplications), should be always less than P, and precisely for this scheme it should be < P/2. The reason for this is, C mod P = C - C/P.P, due to which N belongs to the left open interval (-P/2, P/2]. The main problem which makes the scheme Somewhat Homomorphic is the rapid growth in noise, especially during a multiplication operation in Evaluate. For every multiplication, the bit length of the resulting noise equals the sum of the bit lengths of the multiplicand noises, which crosses the size of P after certain number of multiplications resulting in incorrect decryption. To make the scheme Fully Homomorphic by overcoming this problem, the transformation based on Gentrys blueprint [1][2] is used by [4]. Since the optimizations in the current work target only the underlying Somewhat Homomorphic scheme, the discussion is restricted to the same in this paper. It is suggested to refer [4] and [5] for further concepts related to FHE over the integers. III. PROPOSED HOMOMORPHIC ENCRYPTION SCHEME

In addition to the various parameters used in the DGHV scheme as discussed in the previous section, three more parameters are used in our proposition. The parameter p is used to denote the size of the plaintext integer to be encrypted, which may be taken as O(n). Parameter e is the size of another secret key integer R, the multiple of which is the additive error in the public key element X1. To allow sufficient number of homomorphic operations over the plaintexts, e is taken as p. (n lg2 n). The parameter e is the bit length of the secret key integer P. To support homomorphism for sufficiently deeper circuits, e is taken as e. (n lg2 n). Parameter g is the number of bits in each of the public key integers. More precisely, it is the bit length of the factor Q used to obtain the multiples of P in the public key. Since the public key consists of only two elements, the attacks related to

the two-element PAGCD problem only are considered [16]. In view of this, it is sufficient to satisfy the condition g > e. Hence, we take g = (e lg n). Corresponding condition assumed in [4] to thwart lattice based attacks on the Approximate Greatest Common Divisor (AGCD) problem with some arbitrary t number of elements is, g > e2. The parameter r is the size of the factor R used to obtain the multiple of R in X1, and r is taken as ( lg n) to avoid bruteforce attacks against it. The bit length of the random perturbation noise integers Ni used during the encryption is denoted with s. To thwart the brute-force attack against Ni, s should be ( lg n). In view of the correctness, homomorphism and security of the scheme, the suggested theoretical parameter setting is : p = O(n), e = (n2), e = (n3), g = (n4), s = 3n,and r =n. With this, the proposed public key homomorphic encryption scheme over larger message space, hence denoted as HEL, contains four algorithms as follows. KeyGenL(n): Choose two random odd integers P and R of size
$ $

A. Validation of the proposed scheme The notion of permitted circuit [1][2][4] is helpful in proving the correctness and homomorphism of the scheme, which can be defined as follows for the scheme HEL proposed. Permitted Circuit: An arithmetic circuit with addition and multiplication gates, corresponding to the polynomial to be evaluated, is called as a permitted circuit for the scheme HEL (e+s) in if, for any 1 and any set of integer inputs each 2 absolute value, the maximum absolute value output by the e-2 circuit is at most 2 . The set of permitted circuits is denoted as CKTp. Theorem 1. The public key encryption scheme HEL = (KeyGenL, EncryptL, DecryptL, EvaluateL) is correct, compact and is algebraically homomorphic for the given integer p-1 p-1 plaintext M [-2 , 2 ) and for any circuit CKT CKTp. Proof. Let us consider the fresh ciphertext output by EncryptL. We have, X2 = [N1.X1] mod X0 = N1.(RR+PQ1) mod X0 = RRN1+PN1Q1 K1PQ0 for an integer K1 = RRN1+P(N1Q1 K1Q0) = RRN1+PQ Now, C = [M+N2.X2] mod X0 = [M+N2(RRN1+PQ)] mod X0 = M+RRN1N2+P(N2Q K2Q0) for an integer K2 = M+RN+PQ, for some integers N and Q. This C is an approximate multiple of the integer P. From the parameter setting suggested it can be seen that, the maximum absolute p-1 value of the plaintext M suggested for encryption is 2 -1. For correct decryption of a ciphertext, the term (M+RN) should be e-1 e always less than the odd integer P[2 , 2 ), and the absolute value of M should be always less than R/2 for the odd integer e-1 e R[2 , 2 ). This is because, the modular reduction of C with P should produce (M+RN) and modular reduction of (M+RN) with R should give correct M along with its sign. Since for the chosen parameters we have p << e << e, the condition for correct decryption just discussed is satisfied. Hence, DecryptL works properly for all the fresh ciphertexts. In EvaluateL, let the circuit CKT is applied to the ciphertext integers C1,..,Ck and the resulting ciphertext is C. When the circuit CKT CKTp, the resulting noise in C will be less than P/2 for any P chosen from the specified interval. This shows that the decryption works properly. Regarding the compactness and homomorphism of the scheme HEL, it is easy to see that, the reduction with X0 after every addition and multiplication of two ciphertexts produces another integer ciphertext the size of which is less than or equal to the size of X0. Since the size of X0 is (n4), this defines the bound for the ciphertext as required for compactness. Thus, the size of the ciphertext resulting from EvaluateL is always (n4) irrespective of the circuit CKT being evaluated, which proves the compactness of the scheme. Consider two ciphertexts, C1 = (M1+RN1+PQ1) and C2 = (M2+RN2+ PQ2). The addition operation in EvaluateL gives, Ca = C1 + C2 = [ (M1+ RN1+PQ1) + (M2+RN2+PQ2) ] mod X0 = [ (M1+ M2) + R(N1+N2) + P(Q1+Q2) ] K.PQ0,

e and e respectively. i.e., P (2+1)[2 , 2 ) and R e-1 e (2+1)[2 , 2 ). Choose two g bit random integers Q0, Q1. For this, sample Qi [0, 2 / P), for i = 0,1. Take a random integer R [2 , 2 ). Compute X0 = PQ0, X1= PQ1+RR. Output the secret key, SK = (P, R) and the public key, PK = (X0 , X1).
EncryptL(PK, M[-2 , 2 )): Choose the plaintext integer p-1 p-1 M to be encrypted from [-2 , 2 ). Choose two s-bit random integers N1, N2, so that N2 > N1, and N2 is an even number.
p-1 p-1

e-1

r-1

For this, sample Ni [2 , 2 ), for i = 1, 2. Compute X2 = [N1X1] mod X0. The ciphertext C = [M+N2X2] mod X0.
Note: Choosing N2 as a random even number is only to facilitate in reducing the security of the scheme to the two-element PAGCD problem (Theorem 2). For better security N2 can be any s-bit random number. DecryptL(SK, C): The plaintext integer M = [C mod P] mod R. EvaluateL(PK, CKT, (C1,..,Ck)): Let, CKT be the arithmetic circuit to be evaluated corresponding to a multivariate polynomial f with k variables. Given k ciphertexts C1,..,Ck corresponding to the plaintext integers M1,..,Mk, perform each addition and multiplication operations of CKT over them modulo X0 and output the resulting ciphertext C. Therefore, for any two ciphertexts C1 and C2 during the circuit evaluation, every addition and multiplication operations are performed as, AddL : Compute C = [C1+C2] mod X0, and MulL : Compute C = [C1C2] mod X0 The ciphertext resulting after the complete evaluation of the circuit is decrypted using the DecryptL algorithm.

s-1

for an integer K. = [ (M1+M2) + R( N1+N2) + P(Q1+Q2 KQ0) = (M1 + M2) + R Na + P Qa , for some integers Na and Qa from g s-1 s the intervals [2 , 2 ) and [0, 2 / P) respectively, for an integer 1. Similarly, multiplication of the two ciphertexts in EvaluateL gives, Cm = C1 C2 = [ (M1+RN1+PQ1) (M2+RN2+PQ2) ] mod X0 = [ (M1 M2 ) + M1RN2+ M1PQ2+RN1M2+RN1RN2+ RN1PQ2+PQ1M2+PQ1RN2+PQ1PQ2) ] - K PQ0 , for some integer K = (M1 M2 ) + R(M1N2+N1M2+RN1N2) + P(M1Q2+RN1Q2+ Q1M2+RQ1N2+PQ1Q2KQ0) = (M1 M2 ) + R Nm + P Qm , for some integers Nm and Qm in g e s-1 e s the intervals [2 + , 2 + ) and [0, 2 / P) respectively. It can be verified that for given values of R and P , the values corresponding to the terms N and Q in the fresh ciphertexts as well as the ciphertexts resulting from EvaluateL, all will be within the required limits, whenever the circuit being evaluated CKT CKTp. Hence, Ca decrypts to (M1 + M2) and Cm decrypts to (M1 M2 ) correctly, proving the claim. The permitted circuit is defined over the ring P, where the integers mentioned in the definition corresponds to the noise term (M+RN) in the ciphertexts. The noise in the fresh e-2 e 2s+r and 2 P/2, for some odd integer ciphertexts is 2 + e-1 e P[2 , 2 ). That means, when a permitted circuit is applied to a set of ciphertext integers, the maximum absolute value of the noise should be less than P/2, where P is the minimum value of the secret key integer that can be chosen. The homomorphic evaluation capacity of the scheme HEL is majorly influenced by the number of multiplications supported by it. If two fresh ciphertexts are multiplied once, the bit length of the term (M+RN), which is (n2) will be doubled. The scheme supports multiplications as long as this value is less than the size of P. That means, the scheme supports approximately, |P| / |R| = (n) number of multiplications. The limits imposed on the sizes of the plaintext and noise makes the scheme Somewhat Homomorphic with seemingly many additions, but, limited number of multiplications. Nevertheless, this Somewhat Homomorphic encryption is sufficiently powerful and efficient enough for implementation in many practical applications. To conclude, HEL supports evaluation of the functions approximated to a polynomial having degree less than the multiplicative capacity of HEL, which is roughly (n) as discussed. B. Example computation Now, let us consider the scheme with a numerical example corresponding to the security parameter n = 4. It is to be noted that for the convenience in calculation and to show the homomorphic property of the scheme, we take s = n instead of 3n as specified in the scheme (only for this example). We get, p = 4, e'= 16, e = 64, s = 4, r = 4, and g = 256 KeyGenL: Let, P = 17063439657879604805, a 64-bit odd integer, and R = 60071, a 16-bit odd integer. Then the secret key PK = (P, R). To generate public key, choose two 256-bit

random integers, Q0 = 976641868108585872669312655623 77884310814380857833474263451469838559278518704, and Q1 = 8272128134997139717077855257325457384024565957 4711407902336764309256718858076. Choose a 4-bit random integer R = 11. Compute, X0 = PQ0 = 16664869583829 66664184799041025781757162306834560983826714717021 990187529575671365506913320772720, and X1 = PQ1+RR =1411509592737718470850752083107511713256662407847 359776473346737962843697371168489006029763315961. Public key PK = (X0, X1) EncryptL: Consider two 4-bit, signed, plaintext integers, say M1 = -5, M2 = 7. To encrypt M1, we choose N1 = 13, which is a 4-bit random integer, and get X2 = [N1X1]X0 = [13 141150959273771847085075208310751171325666240 78473597764733467379628436973711684890060297633159 61] mod X0 = 182681633777068150269876291140529 43551236121844855000291620351624905240492805336502 340394607573. Now, choose N2 = 14, a 4-bit random even integer. Then, we get C1 = [M+N2X2]X0 = [-5 + 14 182681633777068150269876291140529 43551236121844855000291620351624905240492805336502 = 255754287287895410377 340394607573] mod X0 82680759674120971730570582797000408268492274867336 6899274711032765524506017. Similarly, to encrypt M2, choose a 4-bit random integer N1 = 10, and get X2 = [N1X1 ]X0 = [10 141150959273771847085075208310751171325666 24078473597764733467379628436973711684890060297633 15961] mod X0 = 78320026031345139502912850286 88630752681694019857271510157312037069367371063139 66004991066977850, Again, choose a 4-bit random even [M+N2X2]X0 = integer N2 = 12, and compute C2 = [ 7 + 12 783200260313451395029128502868863075 26816940198572715101573120370693673710631396600499 = 1065968331846583419 1066977850] mod X0 42554682929744811740649865102380667861518933453230 3197397410764525326199870607. DecryptL : To decrypt compute (C1 mod P) mod R = (25575428728789541037782680759674120971730570582797 0004082684922748673366899274711032765524506017 mod 17063439657879604805 ) mod 60071 = 10932917 mod 60071 = 60066 -5 mod 60071. Similarly, (C2 mod P) mod R = (10659683318465834194255468292974481174064986510238 06678615189334532303197397410764525326199870607 mod 17063439657879604805) mod 60071 = 7208527 mod 60071= 7. EvaluateL: Consider the function, f (x,y) = x2 + xy + y2. This polynomial can be represented as a depth-2 arithmetic circuit of size 6, which is a directed acyclic graph as shown in Figure1. Now, we take x = M1 = -5, and y = M2 = 7. The plaintext resulting from the evaluation of the circuit with these values is, M = f (M1, M2) = f (-5,7) = (-5)2 + (-5 7) + 72 = 39. Now, evaluation of the circuit over the ciphertexts C1 and C2 gives, C = f (C1, C2) = f (255754287287895410377 82680759674120971730570582797000408268492274867336 6899274711032765524506017, 10659683318465834194255 46829297448117406498651023806678615189334532303197 397410764525326199870607)

+ x y

Figure 1. Arithmetic circuit corresponding to f (x,y) = x2 + xy + y2

= (255754287287895410377826807596741209717305705827 970004082684922748673366899274711032765524506017)2 (2557542872878954103778268075967412097 mod X0 + 17305705827970004082684922748673366899274711032765 524506017 10659683318465834194255468292974481 17406498651023806678615189334532303197397410764525 326199870607) mod X0 + (10659683318465834194255 46829297448117406498651023806678615189334532303197 397410764525326199870607)2 mod X0 = ((9678036590708318032592695381022567588042472566084 29516692243130458576178741234964332476334827489 + 39639048644925430156666419300257344130646273331032 0923437360307588594212810045029813895441653519) mod X0 + 8171942506296251667536986405295986006914770455 24465009538461971424912575839775617314623035805409) mod X0 = (13641941455200861048259337311048302001107099899187 50440129603438047170391551279994146371776481008 + 8171942506296251667536986405295986006914770455 24465009538461971424912575839775617314623035805409) mod X0 = 514901437766744607394833330608647043639 88020088223162295334838748189543781538424595408149 1513697. Now, we decrypt this evaluated ciphertext C using DecryptL. We get, (C mod P) mod R = (51490143776674460739483333 06086470436398802008822316229533483874818954378153 84245954081491513697 mod 17063439657879604805) mod 60071 = 30286509797071897 mod 60071= 39, which is equal to M as required. IV. SECURITY OF THE SCHEME

guessing the parity (the LSB) of the plaintext integer in a random ciphertext that contains high noise can be converted in to the ability to solve the two element PAGCD problem using the pair of public key elements (X0, X1) containing low noise. Due to the similarities in the construction and form of ciphertexts, the proposed HEL and the DGHV scheme are identical with only differences in the plaintexts they encrypt and the public key size. Hence, the same strategy employed in [4] and CMNT scheme [8] can be applied in reducing the security of the scheme HEL to solving the two-element PAGCD problem. The following theorem dictates the same, the proof of which is given in the appendix of the full version of this paper. The basic idea that leads to follow the same proof structure irrespective of whether the plaintext is an integer or a single bit is, guessing the parity of the plaintext integer in HEL is equivalent to guessing the plaintext bit in DGHV and CMNT schemes. Moreover, the plaintext in HEL may also be a single bit (0 or 1) some times. Also, HEL successfully defends all the known attacks against the twoelement PAGCD problem similar to those described in [16] and the original manuscript of this paper. Theorem 2. An adversary A with a non-negligible advantage against HEL leads to a probabilistic polynomial time algorithm B for solving the two-element PAGCD problem with a minimum success probability of /2. V. POSSIBLE OPTIMIZATIONS

In view of enhancing the security of the proposed HEL further, the following two optimizations are crucial. Both the optimizations involve small additional computation costs, but, will not affect the overall scheme complexity much. A. Generation of the exact multiple Actual difficulty of the factoring problem depends on the size of the prime factors that constitute the particular composite number to be factored. For example, in practice, if the size of the prime factors involved is 1024 bits or more, the factoring attack can be successfully defended [8]. Hence, in the KeyGenL of HEL it would be safer if the integers P and Q0 1024 are taken as 2 -rough integers. A simple way to do this is generating required number of 1024-bit primes and multiplying them to generate P and Q0 separately. B. Additive error in encryption Instead of simply adding the plaintext integer M to the product N2.X2 to obtain the ciphertext, an additional noise may be added for enhanced security. With this change, the complete EncryptL algorithm is as follows. p-1 p-1 Optimized-EncryptL(PK, M[-2 , 2 )): Choose the p-1 p-1 plaintext integer M to be encrypted from [-2 , 2 ). Choose four s-bit random integers N1, N2 N3, N4. For this, sample

The semantic security of the scheme HEL described so far can be reduced to the hard problem of solving the two-element Partial Approximate Greatest Common Divisor (PAGCD), which is defined as follows. Two-element PAGCD problem: For a random odd positive integer P, given the pair of public key elements (X0, X1) as defined for the scheme HEL, output P. Consider an instance of the scheme for a given security parameter n. Let, (P,R) is the secret key and (X0, X1) is the public key. Let us recall that, in the pair of public key elements X0 is an exact multiple of P and X1 is an approximate multiple. The ciphertexts generated by the scheme are also approximate multiples of P, but, with a high noise or additive error when compared to that of X1. Therefore, the pair of public key elements is the smallest possible instance to solve the PAGCD problem. Any non-negligible advantage in

Ni [2 , 2 ), for i = 1, 2, 3, 4. Compute X2 = [N1X1] mod X0 and X3 = [N2X2] mod X0. Output the ciphertext C = [M+ N4 X2 +N3X3] mod X0.

s-1

VI.

EFFICIENCY OF THE PROPOSED VARIANT

L

VII. CONCLUSIONS In this paper, an efficient, conceptually simple, semantically secure and hopefully practical public key Somewhat Homomorphic Encryption scheme over the integers is proposed. With a smaller public key of (n4) and the overall scheme complexity of (n8), the scheme is capable of encrypting integer plaintexts unlike the existing FHE schemes that employ bitwise encryption. The message expansion is also comparatively low, which is n3. The semantic security of the proposition is based on the two-element Partial Approximate Greatest Common Divisor problem. The computational complexity of the proposition is thoroughly analyzed by comparing with the existing schemes. It is expected that, the method of homomorphic encryption proposed in this work makes the encrypted data processing imminent practically for suitable applications. REFERENCES
[1] [2] [3] [4] [5] [6] [7] C. Gentry, A fully homomorphic encryption scheme, Ph.D Thesis, Stanford University, 2009 C. Gentry, Fully homomorphic encryption using ideal lattices, In STOC, pp 169-178, ACM, 2009. N. P. Smart, F. Vercauteren, Fully homomorphic encryption with relatively small key and ciphertext sizes In Public Key Cryptography PKC'10, Vol. 6056 of LNCS, pp. 420-443,Springer, 2010 M. V. Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan, Fully homomorphic encryption over the integers, Proceedings of Eurocrypt, Vol. 6110 of LNCS, pp. 24-43, Springer, 2010. C. Gentry, Computing arbitrary functions of encrypted data, Communications of the ACM, 53(3), pp.97-105, 2010. D. Stehl, R. Steinfeld, Faster fully homomorphic encryption. ASIACRYPT2010, Vol. 6477 of LNCS, pp.377-394, Springer, 2010 N. Ogura, G. Yamamoto, T. Kobayashi, S. Uchiyama, An improvement of key generation algorithm for Gentrys homomorphic encryption scheme, Advances in Information and Computer Security IWSEC 2010, Vol. 6434 of LNCS, pp. 7083, Springer, 2010. J. S. Coron, A. Mandal, D. Naccache and M. Tibouchi, Fully homomorphic encryption over the integers with shorter public keys, CRYPTO 2011, P. Rogaway (Ed.), Vol. 6841 of LNCS, pp. 487-504, Springer, 2011. Z. Brakerski, V. Vaikuntanathan, Efficient fully homomorphic encryption from (standard) LWE, Electronic Colloquium on Computational Complexity (ECCC) 18: 109, 2011. Z. Brakerski, V. Vaikuntanathan, Fully homomorphic encryption from ring-LWE and security for key dependent messages. CRYPTO 2011, pp.505-524. Z. Brakerski, C Gentry, V. Vaikuntanathan, Fully homomorphic encryption without bootstrapping, Electronic Colloquium on Computational Complexity (ECCC) 18: 111, 2011 P. Scholl, N.P. Smart, Improved key generation for Gentrys fully homomorphic encryption Scheme, Cryptology ePrint Archive: Report 2011/471, http://eprint.iacr.org/2011/471 C. Gentry, S. Halevi, Fully homomorphic encryption without squashing using depth-3 arithmetic circuits, Cryptology ePrint Archive: Report 2011/279. http://eprint.iacr.org/2011/279 K. Lauter, M. Naehrig V. Vaikuntanathan. Can homomorphic encryption be practical?, Cryptology ePrint Archive: Report 2011/405 http://eprint.iacr.org/2011/405 H. Jing-Li, Y. Ming, W. Zhao-Li, Fully homomorphic encryption scheme extended to large message space, International Conference on Instrumentation, Measurement, Computer, Communication and Control, pp.533-536, IEEE, 2011. Y. GovindaRamaiah, G. VijayaKumari, Efficient public key generation for homomorphic encryption over the integers, 3rd International Conference on Advances in Communication, Network and Computing, CNC-2012, Janahan Lal Stephen (Ed.), LNICST, pp. 262268, Springer, 2012.

The improvement in the computational complexity of HE is attributed to the following factors. 1) Unlike the existing schemes, which involve generating a big public key that consists of a large set of (n5) integers [4] or (n2) integers [8] each having a size of (n5), the public key of the proposed scheme consists of invariably two elements (X0, X1 as described in KeyGenL algorithm) of size (n4) bits. Due to this, the size of the public key is (n4). The major step contributing to the key generation complexity is the multiplication of the (n3)-bit secret key integer P with the (n4)-bit Qi, while generating both X0, X1. The bit complexity of this multiplication by an ordinary method will be (n7), which becomes the effective complexity of key generation. 2) Let us consider the complexity of the EncryptL and DecryptL algorithms. EncryptL involves a multiplication of complexity (n4).(n) = (n5) resulting in an integer of size (n4)+(n) = (n4). The modular reduction of this (n4) 2 integer with the (n4) bit X0 takes ((n4) ) = (n8) steps. However, the size of the resulting encrypted integer would be (n4), which may be less than or equal to the size of the modulus X0. In the DecryptL algorithm, the modular reduction of the (n4) bit ciphertext with the (n3) bit secret integer P takes (n8) computations, resulting in an integer (i.e., M+RN) the size of which is less than or equal to (n3). Again, the modular reduction of this (n3) bit integer with (n2) bit secret integer R takes (n6) computations resulting in a plaintext integer (i.e., M) of size less than or equal to (n2). This makes the effective complexity of the DecryptL algorithm as (n8). Finally, the complexity of the EvaluateL algorithm depends on the number of multiplications and modular reductions involved in the circuit to be evaluated. However, the reduced ciphertext expansion speeds up the circuit evaluation during EvaluateL at least by (n). The improvement in computational complexities and comparative analysis with the existing integer based SHE schemes are summarized in TABLE I.
TABLE I SUMMARY OF IMPROVEMENTS OVER THE EXISTING SCHEMES

[8]

[9] [10] [11] [12]

Item of comparison Compactness Size of the public key KeyGen complexity Encrypt complexity Decrypt complexity Message expansion Overall complexity Security base

DGHV SHE [4] -No(n10) (n12) (n10) (n10) n5 (n12) Approximate GCD

CMNT SHE [8] Yes (n7) (n9) (n15) (n10) n5 (n15) PAGCD (Error-free approximate GCD)

Proposed HEL Yes (n4) (n7) (n8) (n8) n3 (n8) Twoelement PAGCD [13] [14] [15]

[16]