Академический Документы
Профессиональный Документы
Культура Документы
1, MARCH 2009
AbstractSignal-processing modules working directly on en- protect the data against third parties or to provide authenticity.
crypted data provide an elegant solution to application scenarios Unfortunately, this may not be sufficient in some applications
where valuable signals must be protected from a malicious pro- since the owner of the data may not trust the processing devices,
cessing device. In this paper, we investigate the implementation of
the discrete Fourier transform (DFT) in the encrypted domain by or those actors that are required to manipulate them. As a first
using the homomorphic properties of the underlying cryptosystem. example, let us consider a situation where a user (say Alice) re-
Several important issues are considered for the direct DFT: the sorts to a continuous monitoring healthcare system to analyze
radix-2 and the radix-4 fast Fourier algorithms, including the her medical/biological data in order to obtain a fast prealert di-
error analysis and the maximum size of the sequence that can be agnosis to help her stay healthy. She will be very likely not to
transformed. We also provide computational complexity analyses
and comparisons. The results show that the radix-4 fast Fourier trust the service provider that will be required to analyze her data
transform is best suited for an encrypted domain implementation while they are encrypted. At the same time, the service provider
in the proposed scenarios. may want to keep its processing algorithms secret since they
Index TermsDiscrete Fourier transform (DFT), error analysis, represent the basis for its business. As a second example, we
fast Fourier transform (FFT), homomorphic encryption, secure may consider a situation where a user wants to query a database
signal processing, signal processing in the encrypted domain, (e.g., a database containing biometric data) without revealing to
signal representation. the database owner (say Bob) what he is looking for (again, this
necessity may be due to privacy reasons). It is evident that the
I. INTRODUCTION availability of tools that allow the processing of an encrypted
query would represent valuable help in solving this problem.
Manuscript received December 14, 2007; revised October 25, 2008. First pub- where denotes the encryption (decryption) operator.
lished January 27, 2009; current version published February 11, 2009. This work It is evident that homomorphic encryption provides an elegant
was supported by the European Commission through the IST Programme under
Contract No. 034238SPEED. The information in this document reflects only
way of performing at last a reduced set of operations by working
the authors views, is provided as is, and no guarantee or warranty is given that on encrypted data. Among homomorphic cryptosystems, addi-
the information is fit for any particular purpose. The user thereof uses the infor- tively homomorphic encryption plays a crucial role in practical
mation at its sole risk and liability. The associate editor coordinating the review
of this manuscript and approving it for publication was Dr. Bart Preneel.
applications since it provides a way of applying any linear op-
T. Bianchi and A. Piva are with the Dipartimento di Elettronica e erator in the encrypted domain.
Telecomunicazioni, Universit di Firenze, Firenze I-50139, Italy (e-mail: The second approach to s.p.e.d. relies on MPC [4]. Here,
tiziano.bianchi@unifi.it; alessandro.piva@unifi.it). players want to compute the output of a function with
M. Barni is with the Dipartimento di Ingegneria dellInformazione, Universit
di Siena, Siena 53100, Italy (e-mail: barni@dii.unisi.it). inputs, each of which is known to one of the players. An MPC
Digital Object Identifier 10.1109/TIFS.2008.2011087 protocol permits computing the output of without the players
1556-6013/$25.00 2009 IEEE
BIANCHI et al.: ON THE IMPLEMENTATION OF THE DFT 87
having to reveal their private inputs. It has been shown [4] that at a summary of Paillier cryptosystem. In Section IV, we intro-
least, in principle, the output of any function can be computed duce suitable signal representation for the encrypted domain.
securely through MPC; the problem, however, is that MPC pro- Section V is devoted to the analysis of the upper bounds on the
tocols are extremely complex since they may require that several encrypted domain representation for different DFT implementa-
interactive rounds be carried out among the players to compute tions, whereas Section VI takes quantization errors into account.
the output of . In Section VII, we derive the complexity of different s.p.e.d.
In this paper, we focus on noninteractive s.p.e.d. Specifically, FFT algorithms (namely, radix-2 and radix-4 FFT). Finally, in
we focus on the representation problems that must be solved Section VIII, we propose some examples of s.p.e.d. FFT de-
in order to exploit homomorphic encryption for processing en- signs, while some concluding remarks are given in Section IX.
crypted signals.
The classical ways to represent signals are through II. ENCRYPTED DOMAINDISCRETE FOURIER
floating-point or fixed-point arithmetic. Unfortunately, TRANSFORM (EDFT)
floating-point and fixed-point arithmetic are not suited for The DFT of a sequence is defined as
implementation in the encrypted domain through homomorphic
encryption. As a matter of fact, adding two floating-point num- (2)
bers requires more complex operations than simple addition:
first, the numbers must be expressed in a form having the same
where and are a finite duration sequence
exponent, then the significands must be added and then the
with length . Among the appealing properties of the afore-
exponent adjusted so that the significand of the result stays in
mentioned transform, one is that it can be implemented via fast
the range. Clearly, these operations cannot be carried
algorithms, noted as fast Fourier transforms (FFTs).
out in the encrypted domain by relying on homomorphic
We will consider a scenario in which the transform processor
encryption only, but some interactive protocol is required [7].
is fed with a sample-wise encrypted version of the input vector,
Similar considerations hold for fixed-point arithmetic, where
that is
after each addition (multiplication), the resulting number must
be truncated to avoid overflow and underflow errors.1 (3)
In this paper, we focus on the aforementioned representation
problem in the framework of DFT/FFT computation in the en- In order to make linear computations on encrypted values pos-
crypted domain. In fact, DFT and FFT are very popular signal- sible, we will assume that the chosen cryptosystem is homomor-
processing tools and, hence, it is very likely that they will have to phic with respect to the addition, that is, an operator exists
be implemented in s.p.e.d. applications. This is the case, for in- such that
stance, of a pattern-recognition module operating on a set of fre-
(4)
quency coefficients, a frequency-domain watermarking system
embedding the watermark in the encrypted domain [8][10], or With such a cryptosystem, it is indeed possible to add two
a filtering operation carried out in the frequency domain.2 encrypted values without first decrypting them. Moreover, it is
Specifically, we introduce a theoretical framework where possible to multiply an encrypted value by a public integer value
the signal representation problem can be analyzed and solved. by repeatedly applying the operator .
Several important issues are considered for the direct DFT: the Another required property of the cryptosystem is that it
radix-2 and the radix-4 fast Fourier algorithms, including the should be probabilistic, or semantically secure, that is, given
error analysis and the maximum size of the sequence that can two encrypted values, it should not be possible to decide
be transformed. We also provide computational complexity whether they conceal the same value. This is fundamental since
analyses and comparisons. The results show that the radix-4 the alphabet to which the input samples belong to is usually
FFT is best suited for an encrypted domain implementation in limited, and a nonsemantically secure cryptosystem would
the proposed scenarios. disclose a great amount of information about the statistical
Despite the focus of the paper being on DFT/FFT implemen- distribution of the input signal. A widely known example of
tation, the theoretical framework we developed is a very general a cryptosystem fulfilling both of the aforementioned require-
one and can be used in a wide variety of situations. ments is the Paillier cryptosystem [11], for which the operator
The rest of this paper is organized as follows. In Section II, is a modular multiplication.
the encrypted-DFT (e-DFT) is defined and the related represen- Since the DFT transform coefficients are public, the expres-
tation problem is introduced. Section III reviews some proper- sion in (2) can be computed on an encrypted input vector by
ties of homomorphic and probabilistic cryptosystems and gives relying on the homomorphic property, as will be shown in Sec-
1Given the current state of art in homomorphic encryption, there is no way tion IV. As we already mentioned, when the aforementioned
to compare or threshold two encrypted numbers. At the same time, resorting to idea is applied, in practice, some issues need to be addressed.
MPC at this low level is unacceptably complex. First of all, the input samples and the DFT coefficients need
2It could be argued that when the DFT module is either at the beginning or at
to be represented as integer values. Since many practical ho-
the end of the processing chain, the DFT could be applied to the signal by the
signal owner itself. However, this is not the case if the DFT is a step of a more momorphic cryptosystems (e.g., Paillier) are based on modular
complex processing chain, where the DFT is applied to intermediate data. operations on a finite field/ring, the inputs and the output
88 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 1, MARCH 2009
values need to be correctly represented as integers on an possible to perform divisions, since this operation could lead to
appropriate finite field. Here, by correctly represented, we noninteger values.
mean that the actual value of a sample should always be recov- Another feature that we need is that the encryption scheme
erable from its finite-field representation. For example, if we are does not encrypt two equal plain texts into the same cipher
working on , the set of integers modulo , we should have text. More generally, given two encrypted values, it should not
; otherwise, its magnitude will be lost due to be computationally feasible to decide whether they conceal
the modulo operations. the same value or not. For this purpose, it is possible to define
Second, FFT-like algorithms should be applicable also in the a scheme where the encryption function is a function
encrypted domain, thus achieving the same computation savings of the secret message and a random parameter , such
achievable in the plain domain. that if , no adversary can distinguish
In the sequel, we will present a theoretical framework from , for any two secret messages .
wherein the aforementioned issues can be cast and solved. A Let and ; for correct
convenient signal representation for s.p.e.d. will be proposed, behavior, the scheme has to be designed in such a way that
allowing us to define a s.p.e.d. DFT and a s.p.e.d. FFT. We , that is, the decryption phase is
will analyze the quantization error introduced by the s.p.e.d. deterministic, not depending on the random parameter . A
implementation and the maximum size of the sequence that scheme that satisfies the aforementioned property is commonly
can be transformed. Moreover, we will provide computational referred to as probabilistic [3] or semantically secure.
complexity analysis, taking into account the requirements of Luckily, encryption schemes that satisfy the homomorphic
different s.p.e.d. scenarios. and probabilistic properties detailed before do exist. One of the
most known homomorphic and probabilistic schemes is the one
III. HOMOMORPHIC AND PROBABILISTIC CRYPTOSYSTEMS presented by Paillier in [11], and later modified by Damgrd and
One tool for signal processing in the encrypted domain is rep- Jurik in [12].
resented by cryptosystems that enable carrying out some basic
algebraic operations on encrypted data by translating them into A. Paillier Cryptosystem
corresponding operations in the plaintext domain. The concept The cryptosystem described in [11], usually referred to as
of privacy homomorphism was first introduced by Rivest et al. Paillier cryptosystem, is based on the problem to decide whether
[2]: in this paper, the authors define privacy homomorphisms as a number is an th residue modulo . This problem is be-
encryption functions which permit encrypted data to be oper- lieved to be computationally hard in the cryptography commu-
ated on without preliminary decryption of the operands. nity, and is linked to the hardness to factorize , if is the
For an exact definition of a homomorphic cryptosystem, let product of two large primes. For a complete description of the
us first introduce some notations: given a set of possible plain Paillier cryptosystem, we refer to the original paper [11]. Here,
texts , a set of cipher texts , and a key pair (public we simply give the encryption and the decryption procedures.
key and secret key), a public key encryption scheme is a couple The notation we use is the classic one, with the set of the in-
of functions , such that, given teger numbers modulo , and the set of invertible elements
a plaintext , and such that given a modulo (i.e., all of the integer numbers modulo that are
cipher text , it is computationally unfeasible to determine relatively prime with ).
such that , without knowing the secret key . 1) Setup: Select , big primes. The private key is the least
According to the correspondence between the operation in common multiple of , denoted as
the ciphertext domain and the operation in the plaintext domain, . Let and in be an element of order3
a cryptosystem can be additively homomorphic or multiplica- for some ( is usually a convenient choice).
tively homomorphic: in this paper, we will focus on the former. is the public key.
An additively homomorphic cryptosystem allows to map an 2) Encryption: Let be the plaintext, and a
addition in the plaintext domain to an operation in the ciphertext random value. The encryption of is
domain, that usually is a multiplication. Given two plaintexts
and , the following equalities are then satisfied:
(6)
where is a public integer and where . From the above equations, we can
easily verify that the Paillier cryptosystem is additively homo-
(7)
morphic, since
Additively homomorphic cryptosystems allow performing .
the encrypted domain additions, subtractions and multiplica- 3The order of an integer a modulo N is the smallest positive integer k such
tions with a known (nonencrypted) value. However, it is not that a = 1 mod N.
BIANCHI et al.: ON THE IMPLEMENTATION OF THE DFT 89
(8)
(14)
where is the rounding function and is a suitable scaling
factor. Fore the sake of simplicity, we will assume that is an for .
integer. Based on the properties of , the quantized signal
will satisfy .
V. UPPER BOUNDS AND MAGNITUDE REQUIREMENTS
In the following, we will consider the encryption of
as the separate encryption of both and , i.e., The computation of the DFT using (11) requires two prob-
. Hence, if the cryptosystem lems to be tackled. The first one is that there will be a scaling
encrypts integers modulo we need a one-to-one mapping factor between and the desired value . The second
between and , so that we one is that in order to implement (11) by using a cryptosystem
can always recover the correct value of from . which encrypts integers modulo , one must ensure that the
This can be achieved by imposing , so that one-to-one mapping in (9) still holds for . Hence,
according to the proposed model, one has to find an upper bound
if on such that , and verify that
(9)
if . .
In the following equation, we will show that, irrespective of
The coefficients in (2) can be quantized using the same the DFT implementation, can always be expressed as
strategy as above. In particular, we define
(15)
(12)
(17)
(13)
90 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 1, MARCH 2009
(19)
TABLE I
SCALING FACTOR K AND UPPER BOUND Q FOR DIFFERENT S.P.E.D. DFT IMPLEMENTATIONS
(34)
(29)
from which we derive the upper bound on as
from which we derive the final upper bound on as .
. The parameters determining the upper bounds for the dif-
ferent DFT implementations are summarized in Table I.
C. Decimation in Time Radix-4 FFT
This algorithm can be employed when and allows VI. ERROR ANALYSIS
the DFT to be computed in stages, each requiring com-
plex multiplications. The rationale of the radix-4 algorithm is The effects of finite precision arithmetic on DFT/FFT com-
that an -point DFT can be evaluated as a linear combination putation have been extensively investigated in the literature
of four -point DFTs. Using this strategy, at each stage, four [17][19]. However, the encrypted domain implementation of
new coefficients are obtained as a linear combination of four co- the DFT introduces some important differences with respect to
efficients computed at the previous stage by using the following the classical fixed-point case. Since there is no rescaling after
radix-4 butterfly [16] multiplication (as we said, we cannot rescale the encrypted
values due to the limited set of operations made available by
homomorphic encryption), there is no computational noise,
(30) which is one of the most relevant noise sources in fixed-point
implementations. Hence, the error introduced by the proposed
DFT/FFT is only due to the quantization of the twiddle factors.
Without loss of generality, the upper bound can be evaluated
In order to estimate the overall quantization error on the DFT
by considering the integer version of the first branch in the but-
values, the noise-to-signal ratio (NSR) will be evaluated. We
terfly, that is
will assume that and are i.i.d. variables with zero
mean and variance and , respectively. Although
is deterministic, this will produce a simple estimate of the quan-
(31) tization noise.
As for the input signal, its NSR can be estimated as
By using the same model as with the radix-2 case, the following
recursive relations can be derived: (35)
(32)
where indicates the signal power.
(33) If we consider the DFT/FFT computation, the output NSR
can be estimated as
Moreover, at the first stage of the radix-4 FFT algorithm
, so that the recursion begins with and (36)
92 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 4, NO. 1, MARCH 2009
where is the variance of . In the case of the direct where we have assumed . As a consequence,
DFT computation, by relying on (17) and neglecting the terms the s.p.e.d. implementation will require in the worst
, we can estimate . case
Hence, it is easy to derive bits for quantizing the twiddle factors (i.e., we save
approximately bits with respect to a plaintext
fixed-point implementation).
(37) Case 2) Floating-point implementation: In the case of plain-
text radix-2 FFT implementation on floating-point
In the case of a radix-2 FFT, the variance of the error at the hardware using bits for the fractional part, the
th stage can be recursively approximated by relying on (26) as NSR bound is given by [15].
Hence
(38)
(44)
(45)
where ,
,, and
, and the coefficients , , and depend on
the implementation of the complex multiplications. It can be
demonstrated that
(49)
(51)
APPENDIX (52)
PROOF OF (49)
since on the given domain. Hence, also the
extrema of lie on the boundary of the domain. This
Consider the expressions of the complexity given in implies
(46)(48). In the following text, we will consider the case
of four real multiplications for each complex multiplication
(i.e., , , and ). The case of
three real multiplications can be proved in a similar way. The which demonstrates the lemma.
following lemmas hold. The proof of (49) follows from the previous two lemmas.
Lemma 1: ; .
Proof: This is immediately proved by inspecting REFERENCES
(47)(48).
[1] Z. Erkin, A. Piva, S. Katzenbeisser, R. L. Lagendijk, J. Shokrollahi, G.
Lemma 2: ; . Neven, and M. Barni, Protection and retrieval of encrypted multimedia
Proof: Consider the functional content: When cryptography meets signal processing, EURASIP J. Inf.
Security, vol. 2007, pp. 2020, 2007.
[2] R. Rivest, L. Adleman, and M. Dertouzos, On data banks and privacy
homomorphisms, in Foundations of Secure Computation, R. DeMillo,
(50) Ed. et al. London, U.K.: Academic, 1978, pp. 169179.
BIANCHI et al.: ON THE IMPLEMENTATION OF THE DFT 97
[3] S. Goldwasser and S. Micali, Probabilistic encryption, J. Comput. Tiziano Bianchi (M05) was born in Prato, Italy,
Syst. Sci., vol. 28, no. 2, pp. 270299, 1984. in 1976. He received the M.Sc. degree (Laurea)
[4] A. C. Yao, Protocols for secure computations, in Proc. IEEE Symp. in electronic engineering and the Ph.D. degree in
Foundations Computer Science, Chicago, IL, Nov. 1982, pp. 160164. information and telecommunication engineering
[5] O. Goldreich, S. Micali, and A. Wigderson, How to play ANY mental from the University of Florence, Florence, Italy, in
game, in Proc. 19th Annu. ACM Conf. Theory of Computing, New 2001 and 2005, respectively
York, 1987, pp. 218229. Since 2005, he has been a Research Assistant with
[6] R. Cramer, I. Damgrd, and J. B. Nielsen, Multiparty computation the Department of Electronics and Telecommunica-
from threshold homomorphic encryption, in , ser. Lect. Notes Comput. tions at the University of Florence. His research inter-
Sci. New York: Springer, 2001, vol. 2045, pp. 280300. ests include applications of multirate systems, signal
[7] B. Schoenmakers and P. Tuyls, Efficient binary conversion for Pail- processing in communications, multicarrier modula-
lier encrypted values, in Proc. Eurocrypt: Advances in Cryptology, tion techniques, and ultra-wideband systems. Recent research topics have in-
ser. Lect. Notes Comput. Sci. Berlin, Germany: Springer, 2006, vol. volved processing of SAR images and signal processing in the encrypted do-
4004, pp. 522537. main.
[8] N. Memon and P. Wong, A buyer-seller watermarking protocol,
IEEE Trans. Image Process., vol. 10, no. 4, pp. 643649, Apr. 2001.
[9] C.-L. Lei, P.-L. Yu, P.-L. Tsai, and M.-H. Chan, An efficient and
anonymous buyer-seller watermarking protocol, IEEE Trans. Image Alessandro Piva (M04) received the electronic
Process., vol. 13, no. 12, pp. 16181626, Dec. 2004. engineering degree (Hons.) and the Ph.D. degree
[10] M. Kuribayashi and H. Tanaka, Fingerprinting protocol for images in computer science and telecommunications engi-
based on additive homomorphic property, IEEE Trans. Image Pro- neering from the University of Florence, Florence,
cessing, vol. 14, no. 12, pp. 21292139, Dec. 2005. Italy, in 1995 and 1999, respectively.
[11] P. Paillier, Public-key cryptosystems based on composite degree He was a Research Scientist at the National Inter-
residuosity classes, in Proc. Eurocrypt: Advances in Cryptology, ser. University Consortium for Telecommunications, Flo-
Lect. Notes Comput. Sci. Berlin, Germany: Springer-Verlag, 1999, rence, Italy, from 2002 to 2004.
vol. 1592, pp. 223238. Currently, he is Assistant Professor at the Univer-
[12] I. Damgrd and M. Jurik, A generalisation, a simplification and some sity of Florence, Florence. His current research inter-
applications of Pailliers probabilistic public-key system, in Public ests are the technologies for multimedia content secu-
Key Cryptography, 2001, pp. 119136. rity and image-processing techniques for the cultural heritage field. He is coau-
[13] M. Vetterli and P. Duhamel, Split-radix algorithms for length-p thor of more than 100 papers published in international journals and conference
DFTs, IEEE Trans. Acoust., Speech, Signal Process., vol. 37, no. 1, proceedings. He holds three Italian patents and an international one regarding
pp. 5764, Jan. 1989. watermarking. He is responsible for the University of Florence of the European
[14] H. Sorensen, D. Jones, M. Heideman, and C. Burrus, Real-valued fast Project SPEED.
Fourier transform algorithms, IEEE Trans. Acoust., Speech, Signal
Process., vol. 35, no. 6, pp. 849863, Jun. 1987.
[15] A. V. Oppenheim and R. W. Schafer, Digital Signal Processing. En-
glewood Cliffs, NJ: Prentice-Hall, 1975.
[16] L. R. Rabiner and B. Gold, Theory and Application of Digital Signal Mauro Barni (SM06) received the electronic engi-
Processing. Englewood Cliffs, NJ: Prentice-Hall, 1975. neering degree and the Ph.D. degree in informatics
[17] P. D. Welch, A fixed-point fast Fourier transform error analysis, IEEE and telecommunications from the University of Flo-
Trans. Audio Electroacoust., vol. AU-17, no. 2, pp. 151157, Jun. 1969. rence, Florence, Italy, in 1991 and 1995, respectively.
[18] A. V. Oppenheim and C. J. Weinstein, Effects of finite register length He has carried out his research activity for
in digital filtering and the fast Fourier transform, Proc. IEEE, vol. 60, more than 15 years first in the Department of Elec-
no. 8, pp. 957976, Aug. 1972. tronics and Telecommunication at the University
[19] D. V. James, Quantization errors in the fast Fourier transform, IEEE of Florence, then at the Department of Information
Trans. Acoust., Speech, Signal Process., vol. ASSP-23, no. 3, pp. Engineering of the University of Siena, Siena,
277283, Jun. 1975. Italy, where he is Associate Professor. During the
[20] E. Savas and . K. Ko, The Montgomery modular inverseRevis- last decade, he has been studying the application
ited, IEEE Trans. Comput., vol. 49, no. 7, pp. 763766, Jul. 2000. of image-processing techniques to copyright protection and authentication
[21] M. E. Kaihara and N. Takagi, A hardware algorithm for modular mul- of multimedia (digital watermarking). He is author/coauthor of about 180
tiplication/division, IEEE Trans. Comput., vol. 54, no. 1, pp. 1221, papers published in international journals and conference proceedings, and
Jan. 2005. holds three patents in the field of digital watermarking. He is coauthor of the
[22] . K. Ko, T. Acar, and B. S. Kalinski, Analyzing and comparing book Watermarking Systems Engineering: Enabling Digital Assets Security
Montgomery multiplication algorithms, IEEE Micro, vol. 16, no. 3, and other Applications (Dekker, 2004). He is the Editor-In-Chief of the
pp. 2633, Jun. 1996. EURASIP Journal on Information Security. He is associate editor of the IEEE
[23] B. S. Kalinski, The Montgomery inverse and its applications, IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS FOR VIDEO TECHNOLOGY and the
Trans. Comput., vol. 44, no. 8, pp. 10641065, Aug. 1995. IET Proceedings on Information Security.
[24] D. E. Knuth, The Art of Computer Programming, 3rd: Seminumerical Prof. Barni is a member of the IEEE Information Forensic and Security tech-
algorithms ed. Reading, MA: Addison-Wesley Longman, 1997, vol. nical Committee (IFS-TC) of the IEEE Signal Processing Society. He is a senior
2. member of EURASIP.