Вы находитесь на странице: 1из 12

86 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO.

1, MARCH 2009

On the Implementation of the Discrete Fourier


Transform in the Encrypted Domain
Tiziano Bianchi, Member, IEEE, Alessandro Piva, Member, IEEE, and Mauro Barni, Senior Member, IEEE

AbstractSignal-processing modules working directly on en- protect the data against third parties or to provide authenticity.
crypted data provide an elegant solution to application scenarios Unfortunately, this may not be sufficient in some applications
where valuable signals must be protected from a malicious pro- since the owner of the data may not trust the processing devices,
cessing device. In this paper, we investigate the implementation of
the discrete Fourier transform (DFT) in the encrypted domain by or those actors that are required to manipulate them. As a first
using the homomorphic properties of the underlying cryptosystem. example, let us consider a situation where a user (say Alice) re-
Several important issues are considered for the direct DFT: the sorts to a continuous monitoring healthcare system to analyze
radix-2 and the radix-4 fast Fourier algorithms, including the her medical/biological data in order to obtain a fast prealert di-
error analysis and the maximum size of the sequence that can be agnosis to help her stay healthy. She will be very likely not to
transformed. We also provide computational complexity analyses
and comparisons. The results show that the radix-4 fast Fourier trust the service provider that will be required to analyze her data
transform is best suited for an encrypted domain implementation while they are encrypted. At the same time, the service provider
in the proposed scenarios. may want to keep its processing algorithms secret since they
Index TermsDiscrete Fourier transform (DFT), error analysis, represent the basis for its business. As a second example, we
fast Fourier transform (FFT), homomorphic encryption, secure may consider a situation where a user wants to query a database
signal processing, signal processing in the encrypted domain, (e.g., a database containing biometric data) without revealing to
signal representation. the database owner (say Bob) what he is looking for (again, this
necessity may be due to privacy reasons). It is evident that the
I. INTRODUCTION availability of tools that allow the processing of an encrypted
query would represent valuable help in solving this problem.

R ECENT advances in signal-processing technology create


the opportunity for a large variety of new applications
ranging from multimedia content production and distribution to
In the following text, we will refer to the aforementioned ap-
proach, where signals are processed as they are encrypted, as
signal processing in the encrypted domain (s.p.e.d.).
advanced health-care systems for continuous health monitoring. Though processing encrypted signals may seem a formi-
These developments raise several important issues concerning dable, if not impossible task, a few approaches exist that make
the security of the digital content to be processed, including in- s.p.e.d. possible. The majority of these approaches concern
tellectual property rights management, authenticity, privacy, and content retrieval and content protection applications. The in-
conditional access. terested reader can find an extensive review of these secure
Currently available solutions for secure manipulation of sig- signal-processing applications in [1]. By neglecting ad-hoc
nals apply some cryptographic primitives in order to build a solutions that are suited to solve only particular problems in
secure layer on top of the signal-processing modules. An ex- very narrow scenarios, two general approaches exist to process
ample of this approach is represented by the encryption of com- encrypted signals: the first one is based on homomorphic
pressed multimedia signals: the multimedia content is first of encryption [2], [3] and the second one relies on multiparty
all compressed through a state-of-the-art compression scheme, computation (MPC) [4][6].
and next, encryption of the compressed bit stream is carried out. A cryptosystem is said to be homomorphic with respect to an
Consequently, the bit stream must be decrypted before the con- operation if an operator exists so that for any two plain
tent can be decompressed and processed. messages and , we have
These solutions typically assume that the involved parties or
devices trust each other and, thus, cryptography is used only to (1)

Manuscript received December 14, 2007; revised October 25, 2008. First pub- where denotes the encryption (decryption) operator.
lished January 27, 2009; current version published February 11, 2009. This work It is evident that homomorphic encryption provides an elegant
was supported by the European Commission through the IST Programme under
Contract No. 034238SPEED. The information in this document reflects only
way of performing at last a reduced set of operations by working
the authors views, is provided as is, and no guarantee or warranty is given that on encrypted data. Among homomorphic cryptosystems, addi-
the information is fit for any particular purpose. The user thereof uses the infor- tively homomorphic encryption plays a crucial role in practical
mation at its sole risk and liability. The associate editor coordinating the review
of this manuscript and approving it for publication was Dr. Bart Preneel.
applications since it provides a way of applying any linear op-
T. Bianchi and A. Piva are with the Dipartimento di Elettronica e erator in the encrypted domain.
Telecomunicazioni, Universit di Firenze, Firenze I-50139, Italy (e-mail: The second approach to s.p.e.d. relies on MPC [4]. Here,
tiziano.bianchi@unifi.it; alessandro.piva@unifi.it). players want to compute the output of a function with
M. Barni is with the Dipartimento di Ingegneria dellInformazione, Universit
di Siena, Siena 53100, Italy (e-mail: barni@dii.unisi.it). inputs, each of which is known to one of the players. An MPC
Digital Object Identifier 10.1109/TIFS.2008.2011087 protocol permits computing the output of without the players
1556-6013/$25.00 2009 IEEE
BIANCHI et al.: ON THE IMPLEMENTATION OF THE DFT 87

having to reveal their private inputs. It has been shown [4] that at a summary of Paillier cryptosystem. In Section IV, we intro-
least, in principle, the output of any function can be computed duce suitable signal representation for the encrypted domain.
securely through MPC; the problem, however, is that MPC pro- Section V is devoted to the analysis of the upper bounds on the
tocols are extremely complex since they may require that several encrypted domain representation for different DFT implementa-
interactive rounds be carried out among the players to compute tions, whereas Section VI takes quantization errors into account.
the output of . In Section VII, we derive the complexity of different s.p.e.d.
In this paper, we focus on noninteractive s.p.e.d. Specifically, FFT algorithms (namely, radix-2 and radix-4 FFT). Finally, in
we focus on the representation problems that must be solved Section VIII, we propose some examples of s.p.e.d. FFT de-
in order to exploit homomorphic encryption for processing en- signs, while some concluding remarks are given in Section IX.
crypted signals.
The classical ways to represent signals are through II. ENCRYPTED DOMAINDISCRETE FOURIER
floating-point or fixed-point arithmetic. Unfortunately, TRANSFORM (EDFT)
floating-point and fixed-point arithmetic are not suited for The DFT of a sequence is defined as
implementation in the encrypted domain through homomorphic
encryption. As a matter of fact, adding two floating-point num- (2)
bers requires more complex operations than simple addition:
first, the numbers must be expressed in a form having the same
where and are a finite duration sequence
exponent, then the significands must be added and then the
with length . Among the appealing properties of the afore-
exponent adjusted so that the significand of the result stays in
mentioned transform, one is that it can be implemented via fast
the range. Clearly, these operations cannot be carried
algorithms, noted as fast Fourier transforms (FFTs).
out in the encrypted domain by relying on homomorphic
We will consider a scenario in which the transform processor
encryption only, but some interactive protocol is required [7].
is fed with a sample-wise encrypted version of the input vector,
Similar considerations hold for fixed-point arithmetic, where
that is
after each addition (multiplication), the resulting number must
be truncated to avoid overflow and underflow errors.1 (3)
In this paper, we focus on the aforementioned representation
problem in the framework of DFT/FFT computation in the en- In order to make linear computations on encrypted values pos-
crypted domain. In fact, DFT and FFT are very popular signal- sible, we will assume that the chosen cryptosystem is homomor-
processing tools and, hence, it is very likely that they will have to phic with respect to the addition, that is, an operator exists
be implemented in s.p.e.d. applications. This is the case, for in- such that
stance, of a pattern-recognition module operating on a set of fre-
(4)
quency coefficients, a frequency-domain watermarking system
embedding the watermark in the encrypted domain [8][10], or With such a cryptosystem, it is indeed possible to add two
a filtering operation carried out in the frequency domain.2 encrypted values without first decrypting them. Moreover, it is
Specifically, we introduce a theoretical framework where possible to multiply an encrypted value by a public integer value
the signal representation problem can be analyzed and solved. by repeatedly applying the operator .
Several important issues are considered for the direct DFT: the Another required property of the cryptosystem is that it
radix-2 and the radix-4 fast Fourier algorithms, including the should be probabilistic, or semantically secure, that is, given
error analysis and the maximum size of the sequence that can two encrypted values, it should not be possible to decide
be transformed. We also provide computational complexity whether they conceal the same value. This is fundamental since
analyses and comparisons. The results show that the radix-4 the alphabet to which the input samples belong to is usually
FFT is best suited for an encrypted domain implementation in limited, and a nonsemantically secure cryptosystem would
the proposed scenarios. disclose a great amount of information about the statistical
Despite the focus of the paper being on DFT/FFT implemen- distribution of the input signal. A widely known example of
tation, the theoretical framework we developed is a very general a cryptosystem fulfilling both of the aforementioned require-
one and can be used in a wide variety of situations. ments is the Paillier cryptosystem [11], for which the operator
The rest of this paper is organized as follows. In Section II, is a modular multiplication.
the encrypted-DFT (e-DFT) is defined and the related represen- Since the DFT transform coefficients are public, the expres-
tation problem is introduced. Section III reviews some proper- sion in (2) can be computed on an encrypted input vector by
ties of homomorphic and probabilistic cryptosystems and gives relying on the homomorphic property, as will be shown in Sec-
1Given the current state of art in homomorphic encryption, there is no way tion IV. As we already mentioned, when the aforementioned
to compare or threshold two encrypted numbers. At the same time, resorting to idea is applied, in practice, some issues need to be addressed.
MPC at this low level is unacceptably complex. First of all, the input samples and the DFT coefficients need
2It could be argued that when the DFT module is either at the beginning or at
to be represented as integer values. Since many practical ho-
the end of the processing chain, the DFT could be applied to the signal by the
signal owner itself. However, this is not the case if the DFT is a step of a more momorphic cryptosystems (e.g., Paillier) are based on modular
complex processing chain, where the DFT is applied to intermediate data. operations on a finite field/ring, the inputs and the output
88 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 1, MARCH 2009

values need to be correctly represented as integers on an possible to perform divisions, since this operation could lead to
appropriate finite field. Here, by correctly represented, we noninteger values.
mean that the actual value of a sample should always be recov- Another feature that we need is that the encryption scheme
erable from its finite-field representation. For example, if we are does not encrypt two equal plain texts into the same cipher
working on , the set of integers modulo , we should have text. More generally, given two encrypted values, it should not
; otherwise, its magnitude will be lost due to be computationally feasible to decide whether they conceal
the modulo operations. the same value or not. For this purpose, it is possible to define
Second, FFT-like algorithms should be applicable also in the a scheme where the encryption function is a function
encrypted domain, thus achieving the same computation savings of the secret message and a random parameter , such
achievable in the plain domain. that if , no adversary can distinguish
In the sequel, we will present a theoretical framework from , for any two secret messages .
wherein the aforementioned issues can be cast and solved. A Let and ; for correct
convenient signal representation for s.p.e.d. will be proposed, behavior, the scheme has to be designed in such a way that
allowing us to define a s.p.e.d. DFT and a s.p.e.d. FFT. We , that is, the decryption phase is
will analyze the quantization error introduced by the s.p.e.d. deterministic, not depending on the random parameter . A
implementation and the maximum size of the sequence that scheme that satisfies the aforementioned property is commonly
can be transformed. Moreover, we will provide computational referred to as probabilistic [3] or semantically secure.
complexity analysis, taking into account the requirements of Luckily, encryption schemes that satisfy the homomorphic
different s.p.e.d. scenarios. and probabilistic properties detailed before do exist. One of the
most known homomorphic and probabilistic schemes is the one
III. HOMOMORPHIC AND PROBABILISTIC CRYPTOSYSTEMS presented by Paillier in [11], and later modified by Damgrd and
One tool for signal processing in the encrypted domain is rep- Jurik in [12].
resented by cryptosystems that enable carrying out some basic
algebraic operations on encrypted data by translating them into A. Paillier Cryptosystem
corresponding operations in the plaintext domain. The concept The cryptosystem described in [11], usually referred to as
of privacy homomorphism was first introduced by Rivest et al. Paillier cryptosystem, is based on the problem to decide whether
[2]: in this paper, the authors define privacy homomorphisms as a number is an th residue modulo . This problem is be-
encryption functions which permit encrypted data to be oper- lieved to be computationally hard in the cryptography commu-
ated on without preliminary decryption of the operands. nity, and is linked to the hardness to factorize , if is the
For an exact definition of a homomorphic cryptosystem, let product of two large primes. For a complete description of the
us first introduce some notations: given a set of possible plain Paillier cryptosystem, we refer to the original paper [11]. Here,
texts , a set of cipher texts , and a key pair (public we simply give the encryption and the decryption procedures.
key and secret key), a public key encryption scheme is a couple The notation we use is the classic one, with the set of the in-
of functions , such that, given teger numbers modulo , and the set of invertible elements
a plaintext , and such that given a modulo (i.e., all of the integer numbers modulo that are
cipher text , it is computationally unfeasible to determine relatively prime with ).
such that , without knowing the secret key . 1) Setup: Select , big primes. The private key is the least
According to the correspondence between the operation in common multiple of , denoted as
the ciphertext domain and the operation in the plaintext domain, . Let and in be an element of order3
a cryptosystem can be additively homomorphic or multiplica- for some ( is usually a convenient choice).
tively homomorphic: in this paper, we will focus on the former. is the public key.
An additively homomorphic cryptosystem allows to map an 2) Encryption: Let be the plaintext, and a
addition in the plaintext domain to an operation in the ciphertext random value. The encryption of is
domain, that usually is a multiplication. Given two plaintexts
and , the following equalities are then satisfied:

(5) 3) Decryption: Let be the ciphertext. The plaintext


hidden in is:
and as a consequence

(6)

where is a public integer and where . From the above equations, we can
easily verify that the Paillier cryptosystem is additively homo-
(7)
morphic, since
Additively homomorphic cryptosystems allow performing .
the encrypted domain additions, subtractions and multiplica- 3The order of an integer a modulo N is the smallest positive integer k such
tions with a known (nonencrypted) value. However, it is not that a = 1 mod N.
BIANCHI et al.: ON THE IMPLEMENTATION OF THE DFT 89

IV. SIGNAL MODEL FOR THE ENCRYPTED DOMAIN where , ,


Let us consider a signal , with , and all computations are carried out modulo . For
, . In the following, we will assume that the example, if we use (12), the DFT in the encrypted domain can
signal is bounded in amplitude, i.e., , from which be evaluated as
.
In order to process in the encrypted domain, the signal
values must be approximated by suitable integers. This is ac-
complished by the following quantization process:

(8)
(14)
where is the rounding function and is a suitable scaling
factor. Fore the sake of simplicity, we will assume that is an for .
integer. Based on the properties of , the quantized signal
will satisfy .
V. UPPER BOUNDS AND MAGNITUDE REQUIREMENTS
In the following, we will consider the encryption of
as the separate encryption of both and , i.e., The computation of the DFT using (11) requires two prob-
. Hence, if the cryptosystem lems to be tackled. The first one is that there will be a scaling
encrypts integers modulo we need a one-to-one mapping factor between and the desired value . The second
between and , so that we one is that in order to implement (11) by using a cryptosystem
can always recover the correct value of from . which encrypts integers modulo , one must ensure that the
This can be achieved by imposing , so that one-to-one mapping in (9) still holds for . Hence,
according to the proposed model, one has to find an upper bound
if on such that , and verify that
(9)
if . .
In the following equation, we will show that, irrespective of
The coefficients in (2) can be quantized using the same the DFT implementation, can always be expressed as
strategy as above. In particular, we define
(15)

where is a scale factor depending on the particular implemen-


(10) tation, whereas takes the propagation of the quantization
error into account.
where is the DFT coefficient scaling factor. Thanks to the Based on (15), the desired DFT output can be obtained as
properties of , we have . . As for the upper bound, we have
Based on the definitions above, the integer approximation of . Hence, for all , we obtain
the DFT is defined as
(16)
(11)
where is a suitable upper bound on and we used
.
Since the equation just shown requires only integer multipli- The value of and depends on the scaling factors
cations and integer additions, it can be evaluated in the en- and and on the particular implementation of the DFT. These
crypted domain by relying on homomorphic properties. How- issues will be discussed in Sections V-AC.
ever, the s.p.e.d. implementation of complex additions and com-
plex multiplications should be considered. The implementation A. Direct Computation
of a complex addition is trivial. As for complex multiplica- Let us express the quantized samples in (8) and the quantized
tion, two implementations can be considered [13], either re- coefficients in (10) as and
quiring four real multiplications and two real additions , respectively, where and are the
or three real multiplications and quantization errors. If the DFT is computed directly by applying
three real additions (11), then we have
. If the inputs are encrypted with the
Paillier cryptosystem, when implemented in the encrypted do-
main, such implementations become

(12)
(17)
(13)
90 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 1, MARCH 2009

The scaling factor in (15) is then . As for the upper (23)


bound given by (16), due to the properties of the rounding
function, . Hence, , Note that the multiplication with is required in order to add
and after simple manipulations (or subtract) integers which are related to the corresponding
complex coefficients by the same scale factor. Hence, the in-
(18) teger implementation of the FFT algorithm requires integer
multiplications at each stage.
As for the upper bound analysis, the two branches of the
from which we derive
butterfly are equivalent. Without loss of generality, let us con-
.
sider the first branch. If we express
1) Real-Valued Signals: In the case of the DFT of a real-
, then we have
valued signal, the direct DFT computation can be expressed as

(19)

From the properties of and , it is evident (24)


that . Therefore, the real and
the imaginary part of the integer DFT values will satisfy from which we derive the following recursive relations:
. This upper bound is lower than
in the complex-valued case. However, in the case of an FFT (25)
algorithm, this applies only for the first stages, since a generic
stage of the FFT will consider a vector of complex valued
samples. It is also worth noting that real-valued signals are
usually processed by means of a half-length complex FFT (26)
[14] since this leads to a sensible reduction of the complexity.
Hence, in the following text, only the complex-valued case will At the first stage , where
be considered. indicates in bit reverse order, so that the recursion starts
2) Bounds on Complex Multiplications: The bound in (18) with and . By using the initial
does not take the intermediate computations of a complex multi- conditions in (26), it is easy to derive the scale factor as
plication into account. This is not a problem in the case of (12), .
since , that is, the intermediate values are As for the evaluation of the final upper bound, we consider
bounded by the final value. However, in the case of (13), we an equivalent recursive relation on an upper bound of the quan-
have and (i.e., the inter- tization error represented in (26), given as
mediate values may exceed the final values). In order to cope
with this behavior, the bound in (18) should be multiplied by a (27)
factor whenever (13) is used. For the sake of simplicity, the
upper bounds in Sections V-B and C will be derived under the By using the initial condition in (27), the upper
hypothesis that (12) is used. The corresponding upper bounds bound on the final quantization error can be expressed as
in the case of (13) can be obtained by multiplying by .

B. Decimation in Time Radix-2 FFT


This algorithm is applied when and allows the DFT
to be computed in stages, each requiring complex mul- (28)
tiplications. At each stage, a pair of coefficients is obtained as
a linear combination of the corresponding pair of coefficients However, the above upper bound does not take into account
computed at the previous stage, using the following butterfly the properties of the twiggle factors , which, in particular
structure: cases, may be quantized with smaller quantization errors than
the upper bound or even without any quantiza-
(20)
tion error. In particular, at the first stage, we have ,
(21) whereas at the second stage, we have . In both
cases, no integer multiplication is required, and the butterflies
where the indices , , and the exponent depend on the
can be modified so that no scaling factor is introduced. There-
particular stage [15]. The computation of the aforementioned
fore, and by using (26), it is easy to derive the scale
butterfly can be performed in the encrypted domain by applying
factor as .
the proposed model, yielding
As for the upper bound, in the case of the first two stages,
(22) the expression in (27) is simplified as , since
BIANCHI et al.: ON THE IMPLEMENTATION OF THE DFT 91

TABLE I
SCALING FACTOR K AND UPPER BOUND Q FOR DIFFERENT S.P.E.D. DFT IMPLEMENTATIONS

. Hence, by using as initial condition in . The scale factor is given as ,


whereas the quantization error upper bound is
(27) (since ), the upper bound on the quantization
error can be expressed as

(34)
(29)
from which we derive the upper bound on as
from which we derive the final upper bound on as .
. The parameters determining the upper bounds for the dif-
ferent DFT implementations are summarized in Table I.
C. Decimation in Time Radix-4 FFT
This algorithm can be employed when and allows VI. ERROR ANALYSIS
the DFT to be computed in stages, each requiring com-
plex multiplications. The rationale of the radix-4 algorithm is The effects of finite precision arithmetic on DFT/FFT com-
that an -point DFT can be evaluated as a linear combination putation have been extensively investigated in the literature
of four -point DFTs. Using this strategy, at each stage, four [17][19]. However, the encrypted domain implementation of
new coefficients are obtained as a linear combination of four co- the DFT introduces some important differences with respect to
efficients computed at the previous stage by using the following the classical fixed-point case. Since there is no rescaling after
radix-4 butterfly [16] multiplication (as we said, we cannot rescale the encrypted
values due to the limited set of operations made available by
homomorphic encryption), there is no computational noise,
(30) which is one of the most relevant noise sources in fixed-point
implementations. Hence, the error introduced by the proposed
DFT/FFT is only due to the quantization of the twiddle factors.
Without loss of generality, the upper bound can be evaluated
In order to estimate the overall quantization error on the DFT
by considering the integer version of the first branch in the but-
values, the noise-to-signal ratio (NSR) will be evaluated. We
terfly, that is
will assume that and are i.i.d. variables with zero
mean and variance and , respectively. Although
is deterministic, this will produce a simple estimate of the quan-
(31) tization noise.
As for the input signal, its NSR can be estimated as
By using the same model as with the radix-2 case, the following
recursive relations can be derived: (35)

(32)
where indicates the signal power.
(33) If we consider the DFT/FFT computation, the output NSR
can be estimated as
Moreover, at the first stage of the radix-4 FFT algorithm
, so that the recursion begins with and (36)
92 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 1, MARCH 2009

where is the variance of . In the case of the direct where we have assumed . As a consequence,
DFT computation, by relying on (17) and neglecting the terms the s.p.e.d. implementation will require in the worst
, we can estimate . case
Hence, it is easy to derive bits for quantizing the twiddle factors (i.e., we save
approximately bits with respect to a plaintext
fixed-point implementation).
(37) Case 2) Floating-point implementation: In the case of plain-
text radix-2 FFT implementation on floating-point
In the case of a radix-2 FFT, the variance of the error at the hardware using bits for the fractional part, the
th stage can be recursively approximated by relying on (26) as NSR bound is given by [15].
Hence
(38)

If we set the initial conditions and , then


radix-2 FFT (43)
we have .
Therefore, the NSR can be expressed as radix-4 FFT.

(39) In this case, the quantization of the twiddle factors in


the s.p.e.d. implementation approximately requires
Finally, in the case of a radix-4 FFT, the variance of the error the same number of bits as the fractional part of the
at the th stage can be recursively approximated in a similar way floating-point registers.
as
VII. COMPLEXITY ANALYSIS
(40)
The complexity of the proposed DFT implementation in the
and since the initial conditions are and encrypted domain depends on several parameters which are re-
lated to the used cryptosystem, its homomorphic properties, to
, the error at the last stage is the input signal, and the desired NSR level.
. Therefore, the NSR is given by For the sake of simplicity, in this paper, we will assume
that a Paillier cryptosystem or one of its extensions is used.
(41) Hence, each addition between plaintexts will be translated
into a modular multiplication between cyphertexts, and each
multiplication between plaintexts will be translated into a
A. Comparison With Plaintext Implementation modular exponentiation of a cyphertexts to a plaintext. More-
Since the value of and, hence, will be fixed by the prop- over, encrypted subtraction requires modular division, which
erties of the input signal, the aforementioned formulas permit is usually more complex than modular multiplication [20],
evaluating the degradation introduced on the encrypted DFT co- [21]. In the following text, we will consider an implementation
efficients as a function of . A fair design criterion could be of subtractions requiring one modular multiplication and one
that of choosing a value of which yields a similar degrada- modular inversion. The same holds for exponentiations to neg-
tion with respect to that introduced by a plaintext FFT imple- ative exponents, usually implemented as . As a
mentation. result, the complexity will be evaluated as the number of mod-
In the following text, comparisons will be made using a plain- ular exponentiations (ME), modular multiplications (MM), and
text radix-2 FFT. Consider that other plaintext FFTs yield sim- modular inversions (MI), which are required for implementing
ilar results. According to the way a plaintext FFT is imple- the DFT/FFT algorithms in the encrypted domain.
mented, two cases need to be analyzed: The DFT/FFT algorithms are based on complex-valued arith-
Case 1) Fixed-point implementation: If a plaintext radix-2 metic. Hence, the complexity of a complex addition, complex
FFT is implemented on fixed-point hardware with subtraction, and complex multiplication have to be translated
registers having bits and scaling is performed at into ME, MM, and MI. As for a s.p.e.d. complex addition, it
each stage, an equivalent encrypted domain imple- always requires two MMs, while the complexity of a complex
mentation should satisfy subtraction is two MMs and two MIs. As for complex multipli-
[15], where is the power of the input signal, as- cation, we consider the two implementations in (12)(13), either
sumed white. If we assume a uniformly distributed requiring four MEs, two MMs and one MI, or three ME, three
quantization error on the DFT coefficients (i.e., MMs, and two MIs. Moreover, if we assume that the sign of the
), we have multipliers is uniformly distributed, either two additional MIs
or one-and-a-half additional MIs should be considered on av-
erage. Finally, if a complex value is multiplied by a real value
radix-2 FFT (42) (rescaled), the complexity is always two MEs and one MI on
radix-4 FFT average.
BIANCHI et al.: ON THE IMPLEMENTATION OF THE DFT 93

TABLE II VIII. PRACTICAL EXAMPLES


COMPUTATIONAL COMPLEXITY OF S.P.E.D. FFT ALGORITHMS: COMPLEX
MULTIPLICATION IS IMPLEMENTED THROUGH FOUR REAL MULTIPLICATIONS As shown in the previous sections, the choice of the param-
eters of the DFT to be implemented in the encrypted domain
depends on several aspects, including the constraints imposed
by the cryptosystem, the required signal-to-noise ratio (SNR),
and the complexity of the implementation. The aim of this sec-
tion is to provide design criteria which take the different issues
raised by the s.p.e.d. DFT into account. First, we will try to iden-
tify some typical scenarios that can be encountered in practical
applications. Therefore, we will show how the proposed anal-
ysis allows us to assess which s.p.e.d. DFT algorithm is more
TABLE III suitable for a particular scenario. In the derivation of such cri-
COMPUTATIONAL COMPLEXITY OF S.P.E.D. FFT ALGORITHMS: COMPLEX
MULTIPLICATION IS IMPLEMENTED THROUGH THREE REAL MULTIPLICATIONS
teria, the analysis made in the previous sections has a crucial
role, since it allows us to give general rules for the choice of the
s.p.e.d. DFT parameters, which will also apply to more general
scenarios.
We will assume that each encrypted domain implementation
fulfills the same requirements in terms of input and output NSR
as the plaintext version. Moreover, for the sake of simplicity,
we will assume that and are powers of two (i.e.,
and ). Finally, we will indicate the bit length of
the modulus used by Paillier as . For security
reasons, recent applications usually require .
The complexity of the direct DFT is simply complex mul- In a nonencrypted domain (plaintext) implementation of the
tiplications and complex additions. The complexity DFT, different scenarios may arise, since the inputs and the
of radix-2 can be derived as follows. Each stage of the radix-2 twiddle factors in the DFT/FFT implementation may be either
FFT, except the first two stages, requires complex multi- fixed-point or floating-point numbers. In our analysis, we will
plications plus rescalings of complex values when imple- consider the following cases.
mented in the encrypted domain. Moreover, each stage also re- Fixed-point inputs: if the input signal is quantized using
quires complex additions and complex subtractions. bits, its values can be directly mapped onto integer values
A similar procedure can be used to derive the complexity of the in the interval so that we can assume
encrypted radix-4 FFT. In this case, each stage, except for the .
first stage, requires complex multiplications plus Floating-point inputs: in order to preserve the whole dy-
rescalings of complex values. Moreover, each radix-4 stage re- namic of the normalized floating-point representation, one
quires also complex additions and complex subtractions. should be able to represent values from to
The complexity results for the different algorithms in terms of , where is the number of bits of the exponent.
MEs, MMs, and MIs are summarized in Tables II and III. Unless some information about the properties of the input
A remark about the encrypted discrete Fourier transform signal is known, this requires .
(DFT)/fast Fourier transform (FFT) complexity is in regard Fixed-point implementation: by using and ,
to the different weight of different modular operations. If a choice satisfying (42) for all implementations is
, a modular exponentiation will require, on or, equivalently,
average, modular multiplications. Hence, in several . If we assume , we can set
practical cases, the cost of the modular multiplications is .
negligible. This may not hold true in the case of the modular Floating-point implementation: a choice satisfying (43) for
inversions, whose complexity is, in general, higher than that of all implementations and all values of is ,
modular multiplication. Hence, the choice of the most conve- from which .
nient implementation between the four multiplication scheme
and the three multiplication scheme will depend on the actual
A. Implementation Constraints
implementation of modular inversion/division.
When the modulus used by the cryptosystem remains the One of the main problems of an implementation in the en-
same, independent of the implementation, the aforementioned crypted domain is its feasibility. Consider a scenario in which a
estimates can be directly compared and the results are similar to set of encrypted signals must undergo different processing tasks.
the classical case. However, in order to maintain the same value It is not realistic to adapt the parameters of the cryptosystem
of , the maximum allowable value of is reduced in the case according to the processing task, mainly because this would
of the FFT algorithms. Since there can be some applications in produce a huge amount of encrypted data, and encrypting data
which this may not be acceptable because of the requirements with a homomorphic cryptosystem is usually an expensive pro-
on the quantization noise, the analysis of the overall complexity cedure. In such a scenario, it is reasonable to assume that the sig-
is strongly dependent on the actual values of and . nals are encrypted once and that each processing task employs
94 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 1, MARCH 2009

the same set of encrypted data. Therefore, each processing task


must rely on a feasible implementation (i.e., an implementation
satisfying the requirements of the modulus).
Given , , and , in order to ensure that no wrap-
around occurs in the internal computations, the modulus of the
cryptosystem must satisfy

(44)

where we can have (DFT), (radix-2), or


(radix-4), and can be obtained from (18), (29),
or (34). Considering practical choices of and , it is safe to
assume , so that the aforementioned bound
is satisfied by requiring

(45)

By using the aforementioned relationship, it is easy to assess


whether a particular FFT can be implemented by relying on the
minimum modulus (and, hence, on a standard Paillier imple-
mentation) or it requires an ad-hoc cryptosystem (e.g., as a func-
tion of ).
According to the considered scenario, one can choose the
convenient values of and and substitute them into (45) in
order to assess which implementation is feasible. In Fig. 1, we
show the minimum required by four different scenarios char-
acterized by fixed-point inputs. If the number of FFT points is
not very high (above ) in all of the scenarios, the encrypted
FFT can be implemented relying on the given modulus. The
only exception is given by the radix-2 implementations by using
high precision coefficients, which require an extended modulus
in order to cope with a number of points greater than . In
Fig. 2, we show the minimum required by three different
scenarios characterized by floating point inputs. As in the pre-
vious example, the radix-2 implementation with single precision
inputs requires an extended modulus only when using double
precision coefficients and . The situation is quite dif-
ferent in the case of double precision inputs: due to the very
high number of bits used to represent the input samples, each
implementation would require an extended modulus. Note that
the radix-4 implementation can be used with even
if the number of DFT points grows very large. However, above
, even the radix-4 implementation does not becomes
any more feasible. Hence, if some processing is required with
(a possible example is the processing of multidimen-
sional signals), one has to resort to an alternative implementa-
tion (for example, the direct DFT) at the cost of greater com-
plexity.
Fig. 1. Minimum value of n = log
d = log
N e as a function of  M
B. Complexity Comparisons for four different scenarios considering fixed-point inputs. (a) DFT. (b) Radix-2
FFT. (c) Radix-4 FFT. The straight line corresponds to n = 1024 = 23
.f
Another important aspect of an encrypted domain implemen- corresponds to IEEE 754 single precision, and f = 52 corresponds to IEEE
tation is its computational complexity. When all of the imple- 754 double precision.
mentations can be used by relying on the same modulus, one can
simply compare the number of modular operations required by
the different approaches. Also, however, a different scenario can fast algorithm requiring a higher modulus size (i.e., the FFT) can
be taken into consideration, in which the modulus of the cryp- be less efficient than a naive implementation requiring a lower
tosystem is set to the minimum value required by a particular modulus size (i.e., the direct DFT).
implementation. Since the cost of a modular operation depends In order to make a complexity comparison, we made the fol-
on the modulus size [22], [23], a natural question is whether a lowing simplifying assumptions: 1) the cost of the algorithm is
BIANCHI et al.: ON THE IMPLEMENTATION OF THE DFT 95

as [24], where can be interpreted as


the cost of a bit operation (bit op).
Given the aforementioned hypotheses, the complexity of the
different implementations can be expressed as

bit ops (46)


bit ops (47)
bit ops (48)

where ,
,, and
, and the coefficients , , and depend on
the implementation of the complex multiplications. It can be
demonstrated that

(49)

is irrespective of the implementation of the complex multiplica-


tions. A detailed proof is given in Appendix A.
As an example in the case of a practical implementation, the
complexity of the proposed FFTs is compared in Fig. 3, as-
suming four real multiplications for each complex multiplica-
tion. Even if both FFTs are obliged to use a large modulus size,
their complexity is always well below that of a direct DFT. In
this scenario, the radix-4 algorithm is always the best one for
what concerns the complexity, irrespective of the other param-
eters.

IX. CONCLUDING REMARKS

We have investigated the implementation of the DFT on a


vector of encrypted samples relying on the homomorphic prop-
erties of the underlying cryptosystem. The relations between
the maximum allowable DFT size and the modulus of the cryp-
tosystem, the DFT/FFT implementation, and the required pre-
cision have been derived. The results have shown that the noise
introduced by a s.p.e.d. implementation is usually smaller than
in a classical fixed-point implementation and comparable to a
floating point one. Also, the computational complexities of the
different approaches have been derived and compared, taking
the constraints of the s.p.e.d. implementation into account. We
considered a first scenario in which the available cryptosystem
is fixed and a second scenario in which the parameters of the
cryptosystem may be adapted to the requirements of the FFT.
The results demonstrate that the radix-4 FFT is best suited for
both scenarios.
Our approach gives useful design criteria for the implemen-
tation of s.p.e.d. modules and suggests several other issues to be
Fig. 2. Minimum value of n = log
d = log
N e as a function of  M for addressed in future research on s.p.e.d. topics. For instance, an
three different scenarios considering floating-point inputs. (a) DFT. (b) Radix-2
FFT. (c) Radix-4 FFT. The straight line corresponds to n = 1024 = 8.c and interesting open question is the tradeoff between feasibility and
f = 23 correspond to IEEE 754 single precision, and c = 11 = 52
and f complexity (i.e., the comparison between feasible but less ef-
correspond to IEEE 754 double precision. ficient implementations and efficient but sometimes unfeasible
ones). Other topics that need further research are the analysis
of s.p.e.d. FFT algorithms having a radix of greater than four,
dominated by the number of exponentiations and 2) the cost of a the analysis of mixed radix and split radix algorithms, and the
modular exponentiation (modulo ) is modeled hardware issues in practical implementations.
96 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 1, MARCH 2009

Clearly, on the given domain. Moreover, at the


boundaries, we have the following constraints:

As for the hyperplane , we have

Consider the partial derivative of . With respect to ,


we have

(51)

since on the domain of . Hence, the


maxima (and minima) of lie on the boundary of the do-
main, from which , ;
.
As for the interior of the domain, let us consider the partial
Fig. 3. Number of bit operations for three different s.p.e.d. DFT implementa-
derivative of with respect to , we have
tions, according to (46)(48). (a) n =7 ,n = 31d 0 = 2+1 2 = e (cor-
responding to 8-bit fixed point inputs and 32-bit fixed-point coefficients). (b)
n = 254 ,n = 51 (corresponding to single precision floating-point inputs
and double-precision floating-point coefficients).

APPENDIX (52)
PROOF OF (49)
since on the given domain. Hence, also the
extrema of lie on the boundary of the domain. This
Consider the expressions of the complexity given in implies
(46)(48). In the following text, we will consider the case
of four real multiplications for each complex multiplication
(i.e., , , and ). The case of
three real multiplications can be proved in a similar way. The which demonstrates the lemma.
following lemmas hold. The proof of (49) follows from the previous two lemmas.
Lemma 1: ; .
Proof: This is immediately proved by inspecting REFERENCES
(47)(48).
[1] Z. Erkin, A. Piva, S. Katzenbeisser, R. L. Lagendijk, J. Shokrollahi, G.
Lemma 2: ; . Neven, and M. Barni, Protection and retrieval of encrypted multimedia
Proof: Consider the functional content: When cryptography meets signal processing, EURASIP J. Inf.
Security, vol. 2007, pp. 2020, 2007.
[2] R. Rivest, L. Adleman, and M. Dertouzos, On data banks and privacy
homomorphisms, in Foundations of Secure Computation, R. DeMillo,
(50) Ed. et al. London, U.K.: Academic, 1978, pp. 169179.
BIANCHI et al.: ON THE IMPLEMENTATION OF THE DFT 97

[3] S. Goldwasser and S. Micali, Probabilistic encryption, J. Comput. Tiziano Bianchi (M05) was born in Prato, Italy,
Syst. Sci., vol. 28, no. 2, pp. 270299, 1984. in 1976. He received the M.Sc. degree (Laurea)
[4] A. C. Yao, Protocols for secure computations, in Proc. IEEE Symp. in electronic engineering and the Ph.D. degree in
Foundations Computer Science, Chicago, IL, Nov. 1982, pp. 160164. information and telecommunication engineering
[5] O. Goldreich, S. Micali, and A. Wigderson, How to play ANY mental from the University of Florence, Florence, Italy, in
game, in Proc. 19th Annu. ACM Conf. Theory of Computing, New 2001 and 2005, respectively
York, 1987, pp. 218229. Since 2005, he has been a Research Assistant with
[6] R. Cramer, I. Damgrd, and J. B. Nielsen, Multiparty computation the Department of Electronics and Telecommunica-
from threshold homomorphic encryption, in , ser. Lect. Notes Comput. tions at the University of Florence. His research inter-
Sci. New York: Springer, 2001, vol. 2045, pp. 280300. ests include applications of multirate systems, signal
[7] B. Schoenmakers and P. Tuyls, Efficient binary conversion for Pail- processing in communications, multicarrier modula-
lier encrypted values, in Proc. Eurocrypt: Advances in Cryptology, tion techniques, and ultra-wideband systems. Recent research topics have in-
ser. Lect. Notes Comput. Sci. Berlin, Germany: Springer, 2006, vol. volved processing of SAR images and signal processing in the encrypted do-
4004, pp. 522537. main.
[8] N. Memon and P. Wong, A buyer-seller watermarking protocol,
IEEE Trans. Image Process., vol. 10, no. 4, pp. 643649, Apr. 2001.
[9] C.-L. Lei, P.-L. Yu, P.-L. Tsai, and M.-H. Chan, An efficient and
anonymous buyer-seller watermarking protocol, IEEE Trans. Image Alessandro Piva (M04) received the electronic
Process., vol. 13, no. 12, pp. 16181626, Dec. 2004. engineering degree (Hons.) and the Ph.D. degree
[10] M. Kuribayashi and H. Tanaka, Fingerprinting protocol for images in computer science and telecommunications engi-
based on additive homomorphic property, IEEE Trans. Image Pro- neering from the University of Florence, Florence,
cessing, vol. 14, no. 12, pp. 21292139, Dec. 2005. Italy, in 1995 and 1999, respectively.
[11] P. Paillier, Public-key cryptosystems based on composite degree He was a Research Scientist at the National Inter-
residuosity classes, in Proc. Eurocrypt: Advances in Cryptology, ser. University Consortium for Telecommunications, Flo-
Lect. Notes Comput. Sci. Berlin, Germany: Springer-Verlag, 1999, rence, Italy, from 2002 to 2004.
vol. 1592, pp. 223238. Currently, he is Assistant Professor at the Univer-
[12] I. Damgrd and M. Jurik, A generalisation, a simplification and some sity of Florence, Florence. His current research inter-
applications of Pailliers probabilistic public-key system, in Public ests are the technologies for multimedia content secu-
Key Cryptography, 2001, pp. 119136. rity and image-processing techniques for the cultural heritage field. He is coau-
[13] M. Vetterli and P. Duhamel, Split-radix algorithms for length-p thor of more than 100 papers published in international journals and conference
DFTs, IEEE Trans. Acoust., Speech, Signal Process., vol. 37, no. 1, proceedings. He holds three Italian patents and an international one regarding
pp. 5764, Jan. 1989. watermarking. He is responsible for the University of Florence of the European
[14] H. Sorensen, D. Jones, M. Heideman, and C. Burrus, Real-valued fast Project SPEED.
Fourier transform algorithms, IEEE Trans. Acoust., Speech, Signal
Process., vol. 35, no. 6, pp. 849863, Jun. 1987.
[15] A. V. Oppenheim and R. W. Schafer, Digital Signal Processing. En-
glewood Cliffs, NJ: Prentice-Hall, 1975.
[16] L. R. Rabiner and B. Gold, Theory and Application of Digital Signal Mauro Barni (SM06) received the electronic engi-
Processing. Englewood Cliffs, NJ: Prentice-Hall, 1975. neering degree and the Ph.D. degree in informatics
[17] P. D. Welch, A fixed-point fast Fourier transform error analysis, IEEE and telecommunications from the University of Flo-
Trans. Audio Electroacoust., vol. AU-17, no. 2, pp. 151157, Jun. 1969. rence, Florence, Italy, in 1991 and 1995, respectively.
[18] A. V. Oppenheim and C. J. Weinstein, Effects of finite register length He has carried out his research activity for
in digital filtering and the fast Fourier transform, Proc. IEEE, vol. 60, more than 15 years first in the Department of Elec-
no. 8, pp. 957976, Aug. 1972. tronics and Telecommunication at the University
[19] D. V. James, Quantization errors in the fast Fourier transform, IEEE of Florence, then at the Department of Information
Trans. Acoust., Speech, Signal Process., vol. ASSP-23, no. 3, pp. Engineering of the University of Siena, Siena,
277283, Jun. 1975. Italy, where he is Associate Professor. During the
[20] E. Savas and . K. Ko, The Montgomery modular inverseRevis- last decade, he has been studying the application
ited, IEEE Trans. Comput., vol. 49, no. 7, pp. 763766, Jul. 2000. of image-processing techniques to copyright protection and authentication
[21] M. E. Kaihara and N. Takagi, A hardware algorithm for modular mul- of multimedia (digital watermarking). He is author/coauthor of about 180
tiplication/division, IEEE Trans. Comput., vol. 54, no. 1, pp. 1221, papers published in international journals and conference proceedings, and
Jan. 2005. holds three patents in the field of digital watermarking. He is coauthor of the
[22] . K. Ko, T. Acar, and B. S. Kalinski, Analyzing and comparing book Watermarking Systems Engineering: Enabling Digital Assets Security
Montgomery multiplication algorithms, IEEE Micro, vol. 16, no. 3, and other Applications (Dekker, 2004). He is the Editor-In-Chief of the
pp. 2633, Jun. 1996. EURASIP Journal on Information Security. He is associate editor of the IEEE
[23] B. S. Kalinski, The Montgomery inverse and its applications, IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS FOR VIDEO TECHNOLOGY and the
Trans. Comput., vol. 44, no. 8, pp. 10641065, Aug. 1995. IET Proceedings on Information Security.
[24] D. E. Knuth, The Art of Computer Programming, 3rd: Seminumerical Prof. Barni is a member of the IEEE Information Forensic and Security tech-
algorithms ed. Reading, MA: Addison-Wesley Longman, 1997, vol. nical Committee (IFS-TC) of the IEEE Signal Processing Society. He is a senior
2. member of EURASIP.

Вам также может понравиться