Professional Documents
Culture Documents
5, MAY 2015
Abstract— We introduce a hybrid homomorphic encryption computations on the encrypted data and then sends them to
that combines public-key encryption (PKE) and somewhat homo- an agency who has a decryption key for the FHE. This is com-
morphic encryption (SHE) to reduce the storage requirements mon in typical FHE scenarios, such as medical and financial
of most somewhat or fully homomorphic encryption (FHE)
applications. In this model, messages are encrypted with a applications [16]. In this situation, one approach to reduce the
PKE and computations on encrypted data are carried out storage requirement is to use AES encryption to encrypt data,
using SHE or FHE after homomorphic decryption. To obtain and then perform homomorphic computations on ciphertexts
efficient homomorphic decryption, our hybrid scheme combines after converting to FHE-ciphertexts. This method has a great
IND-CPA PKE without complicated message padding with SHE advantage in storage and communication, because only small
with a large integer message space. Furthermore, if the underly-
ing PKE is multiplicative, the proposed scheme has the advantage AES-ciphertexts are transmitted from user to server, and these
that polynomials of arbitrary degree can be evaluated without are homomorphically decrypted only when their homomor-
bootstrapping. We construct this scheme by concatenating the phic computations are required. In an asymmetric setting,
ElGamal and Goldwasser–Micali schemes over a ring Z N for a we can still use this approach by adding several public-key
composite integer N whose message space is Z× N . To accelerate FHE ciphertexts of a session key. However this approach
the homomorphic evaluation of the PKE decryption, we introduce is not practical when the amount of messages transmitted
a method to reduce the degree of the exponentiation circuit at
the cost of additional public keys. Using the same technique, simultaneously is small compared with the size of on FHE
we present an efficient partial solution to an open problem ciphertext. Moreover, the conversion of AES-ciphertexts into
which is to evaluate mod q mod p arithmetic homomorphically FHE-ciphertexts requires a leveled FHE with multiplicative
for large p. As an independent interest, we also obtain a generic depth of at least forty [2], [4], [9].1
method for converting from private-key SHE to public-key SHE. In this paper, we explore an alternative method that encrypts
Unlike the method described by Rothblum, we are free to choose
the SHE message space. messages with a public key encryption (PKE) and converts
Index Terms— ElGamal, Goldwasser–Micali, Naccache-Stern, them into SHE-ciphertexts for homomorphic computations.
hybrid scheme, homomorphic encryption, fully homomorphic In this approach, the ciphertext expansion ratio is only two or
encryption, bootstrapping. three regardless of the message size. Moreover, the decryption
circuit is very shallow when the SHE allows large integers as
I. I NTRODUCTION messages. For example, the decryption circuit of ElGamal over
Authorized licensed use limited to: New York University. Downloaded on October 10,2021 at 06:08:24 UTC from IEEE Xplore. Restrictions apply.
CHEON AND KIM: HYBRID SCHEME OF PKE AND SHE 1053
One problem when using MHE in the hybrid scheme is B. Homomorphic Encryption Schemes
that the message space for MHE schemes is not usually Definition 4 (ElGamal Encryption Over a Ring): Let R be
closed under addition. For example, the (IND-CPA) ElGamal a ring. The ElGamal encryption scheme ElG = (ElG.KG,
encryption over a ring R can only take messages with elements ElG.Enc, ElG.Dec) consists of the following algorithms:
in a prime order subgroup, which covers only a small part of R. • ElG.KG(λ): Choose a multiplicative cyclic subgroup Gq
To resolve this, therefore, we construct a MHE whose message of prime order q in R such that the DDH assumption
space is Z×N for an RSA modulus N = p1 p2 . The proposed holds with respect to the security parameter λ. Choose a
scheme is constructed by combining ElGamal encryption generator g of Gq and a random e ∈ [0, q), and compute
over Z× N and Goldwasser-Micali encryption over Z N , and is y = g e . Output a public key pk ElG = (R, Gq , g, y) and
secure under the decisional Diffie–Hellman assumption and a secret key sk ElG = e.
the quadratic residuosity assumption for common N = pq. • ElG.Enc( pk ElG , m): Take as input the public key pk ElG
We remark that our technique solves the open problem and a plaintext m ∈ Gq . Choose a random r ∈ [0, q) and
of [13] when the FHE message space is Z p for large p. compute g −r and m · y r . Output c = (g −r , m · y r ).
We convert the double modulo reduction into a depth-3 circuit, • ElG.Dec(sk ElG , c): Take as input the secret key sk ElG
and then, we apply the technique of [8]. Our improved tech- and a ciphertext c = (v, u) ∈ R 2 . Output m = v e u.
nique plays an important role in this method, as the parameters Definition 5 (Goldwasser–Micali Encryption): The
depend heavily on the homomorphic capacity of FHE. Goldwasser-Micali encryption scheme GM = (GM.KG,
As an independent interest, we also present a generic GM.Enc, GM.Dec) consists of the following algorithms:
method for converting from a private-key SHE to a public-key • GM.KG(λ): Choose random primes p, q and com-
SHE using our hybrid scheme. In this case, the message space pute N = pq such that the 1-QR assumption holds
is Z p for a large integer p > 2 and the public key is the with respect to the security parameter λ. Compute the
encryption of the secret key of a PKE under private-key SHE, quadratic non–residue y modulo N satisfying yp =
which is much smaller than that described in [20].
y
q = −1. Output a public key pk GM = (N, y) and a
secret key sk GM = ( p).
II. P RELIMINARIES
• GM.Enc( pk GM , m): For a plaintext m ∈ {0, 1},
In this section, we introduce some definitions and base choose a random x ∈ Z× N and output a ciphertext
problems needed to prove the security of our schemes. c = y m x 2 mod N.
Notation: For m, n ∈ N, [m, n] and [m, n) denote the sets • GM.Dec(sk GM , c): For a ciphertext c ∈ Z× , if c
=1
N p
{m, m+1, . . . , n−1, n} and {m, m+1, . . . , n−2, n−1}, respec- 2
output 0. Otherwise output 1.
tively. We denote the element in Z∩(− n2 , n2 ] that is equivalent
Definition 6 (Joye–Libert Encryption): The Joye-Libert
n by a mod n or [a]n , and the unique integer in
to amodulo
p p encryption scheme JL = (JL.KG, JL.Enc, JL.Dec) consists
(− i2 i , i2 i ] that is congruent to m i modulo pi for all i
of the following algorithms:
by C RT( p1 ,..., pk ) (m
a1, . . . , m k ). For an integer N,× we use2 sets • JL.KG(λ): Choose an integer k ≥ 1 and random primes
J N := {a ∈ Z× | N = 1} and QR N := {a ∈ Z N |a
= b for
N p and q with p ≡ q ≡ 1 (mod 2k ), and set N = pq
some b ∈ Z× N }. We denote a φ(N)/ p mod N by a
N p. such that the k-QR assumption holds with respect to the
security parameter λ. Choose a random y ∈ J N \QR N .
A. Hard Problems Output a public key pk JL = (N, y, k) and a secret key
sk JL = ( p).
Definition 1 (Decisional Diffie–Hellman Problem Over G): • JL.Enc( pk JL , m): For a plaintext 0 ≤ m < 2k ,
Let G be a group with a generator g of order q. For a given choose a random x ∈ Z× N and output a ciphertext
tuple (g, g a , g b , g c ), the decisional Diffie–Hellman (DDH) k
c = y m x 2 mod N.
problem over G is to determine whether g ab = g c . ×
• JL.Dec(sk
JL , c): For a ciphertext c ∈ Z N , compute
Definition 2 (k-Quadratic Residuosity Problem Over Z N ):
Given an odd composite integer N = pq such that z = cp k and then find and output m ∈ {0, 1}k such
a p ≡ q ≡ 1 2
(mod 2k ) and a ∈ J N where J N := {a ∈ Z× N | N = 1}, the that the relation
k-quadratic residuosity problem (k-QR) over Z N is to deter-
m
y
mine whether a is quadratic residue modulo N. =z (mod p)
p 2k
Definition 3 (Higher Residuosity Problem Over Z N ): For a
given odd composite integer N = pq, an integer d such that holds.
d|( p − 1), and an integer a ∈ Z N , the higher residuosity Remark 1: Note that the case k = 1 corresponds to the
problem (HR) over Z N is to determine whether a is the Goldwasser-Micali cryptosystem.
d-th residue modulo N. Definition 7 (Naccache-Stern Encryption): The
We say that the DDH assumption over Gq holds if no Naccache-Stern encryption scheme NS = (NS.KG,
polynomial time distinguisher can solve the DDH problem NS.Enc, NS.Dec) consists of the following algorithms:
with non-negligible advantage with respect to the security • NS.KG(λ): Choose k p1, . . . , pk ,
k/2random small primes
parameter λ. The k-QR and HR assumptions over Z N are compute u = p
i=1 i and v = i=k/2+1 pi and
defined similarly. set σ = uv. Choose large primes a and b such that
Authorized licensed use limited to: New York University. Downloaded on October 10,2021 at 06:08:24 UTC from IEEE Xplore. Restrictions apply.
1054 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 5, MAY 2015
p = 2au + 1 and q = 2bv + 1 are prime and set N = pq • Hyb.Conv( pk Hyb , c): Evaluate the decryption circuit
such that the HR assumption holds with respect to the PKE.Dec with pk Hyb . That is, compute and output a
security parameter λ. Choose a random g mod N of ciphertext C, where
order φ(n)/4. Output a public key pk NS = (σ, N, g)
and a secret key sk NS = ( p). C = f Dec SHE.Enc(sk PKE ), SHE.Enc(c) .
• NS.Enc( pk NS , m): For a plaintext m ∈ Zσ , choose • Hyb.Eval( pk Hyb , f, C1 , . . . , Ct ): For a given circuit
x ∈ Z N and output a ciphertext c = x σ g m mod N. f and t ciphertexts C1 , . . . , Ct under SHE, output
• NS.Dec(sk NS , c): For a ciphertext c ∈ Z× N , compute
z = cφ(N)/ pi and find m i such that the relation C = SHE.Eval( pk SHE , f, C1 , . . . , Ct ).
m i
g • Hyb.Dec(sk Hyb , c): For a ciphertext C ∈ C pk SHE , output
= z (mod N)
N pi m = SHE.Dec(sk SHE , C).
holds for each i . Output Remark 2: In the Hyb.Conv algorithm, note that
III. E NCRYPT W ITH PKE AND C OMPUTE W ITH SHE since SHE can evaluate the decryption circuit of
PKE f Dec .
In this section, we describe the concept of a hybrid
Remark 3: In our hybrid scheme, the homomorphic capac-
scheme that combines PKE and SHE. A message is encrypted
ity of SHE at least exceeds the degree of the decryption circuit
using PKE, and converted to a ciphertext under SHE when
f Dec of PKE.
homomorphic computations on the message are needed. The
Theorem 1 (Semantic Security of Hybrid Scheme): If both
ciphertext is decrypted under SHE.
the PKE and the SHE are semantically secure, then so is the
hybrid scheme.
A. A Hybrid Scheme of PKE and SHE Proof: Suppose a polynomial time adversary
Suppose that a client who has limited computation B = (B1 , B2 ) breaks the semantic security of the scheme
capability wants to compute f (m 1 , . . . , m k ) for sensitive with non-negligible advantage. We define the advantage of
messages {m 1 , . . . , m k } and a multivariate polynomial f . adversary B by
The client could outsource the heavy computation to a
AdvB (λ) := Pr B2 (x 0 , x 1 , pk Hyb , y) = b
server that has sufficient computing power. Currently, FHE
is a good way of delegating computations, if we ignore ( pk PKE , sk PKE ) ← PKE.KG, ( pk SHE , sk SHE ) ← SHE.KG,
the client’s bandwidth and the server’s storage. However, (x 0 , x 1 , pk Hyb ) ← B1 ( pk PKE , pk SHE , SHE(sk PKE )),
these are very significant measures in the construction of a
cloud environment, as they are directly connected to the real b ← {0, 1}, y ← PKE.Enc(x b ) − 0.5,
cost.
and denote this by AdvB . We will show that we can use B
The bandwidth and storage requirements can be reduced by
to break either PKE or SHE. We now set up two games for
combining PKE with a small ciphertext size and SHE that can
PKE and SHE.
evaluate the decryption circuit of the PKE, rather than its own
In the game for PKE, the adversary APKE only has access
decryption circuit. We propose a hybrid scheme to improve the
to pk PKE . APKE prepares the following game for B.
efficiency of SHE when used in a cloud computing environ-
1) APKE runs PKE.KG and SHE.KG to obtain
ment. Let PKE = (PKE.KG, PKE.Enc, PKE.Dec) be a PKE
( pk PKE , sk PKE ) and ( pk SHE , sk SHE ).
and SHE = (SHE.KG, SHE.Enc, SHE.Dec, SHE.Eval) be
2) APKE sends ( pk PKE , pk SHE , SHE.Enc(sk PKE )) to B1
a SHE. Suppose that there exists a circuit f Dec such that
as a public key of Hyb.
f Dec (sk, c) = m for all ciphertexts c = PKE.Enc(m) and
3) B1 chooses x 0 , x 1 and sends them to APKE .
secret key sk. We also assume that f Dec can be evaluated
4) APKE selects b ← {0, 1} and sends y ← PKE.Enc(x b )
homomorphically under SHE. The Hybrid scheme of PKE
to B2 .
and SHE consists of the following five algorithms Hyb =
5) B2 outputs b ∈ {0, 1} to APKE as an answer.
(Hyb.KG, Hyb.Enc, Hyb.Conv, Hyb.Eval, Hyb.Dec):
6) APKE outputs b = b .
• Hyb.KG(λ, PKE.KG, SHE.KG): Run PKE.KG and
Steps 2)−6) of this game are identical to the standard game for
SHE.KG to get ( pk PKE , sk PKE , pk SHE , sk SHE ). Output
Hyb with an unmatched pair of pk Hyb and pk PKE . Therefore
pk Hyb = ( pk PKE , pk SHE , SHE.Enc(sk PKE )) AdvAPKE ≤ AdvB .
sk Hyb = (sk SHE ), In the game for SHE, the adversary ASHE only has access
to pk SHE . ASHE prepares the following game for B.
where SHE.Enc(sk PKE ) is an encryption of sk PKE under 1) ASHE runs SHE.KG and SHE.KG to obtain
SHE. ( pk PKE , sk PKE ) and ( pk SHE , sk SHE ).
• Hyb.Enc( pk Hyb , m): For a plaintext m ∈ M pk PKE , output 2) ASHE runs PKE.KG again to get another secret key
c = PKE.Enc( pk PKE , m). sk PKE .
Authorized licensed use limited to: New York University. Downloaded on October 10,2021 at 06:08:24 UTC from IEEE Xplore. Restrictions apply.
CHEON AND KIM: HYBRID SCHEME OF PKE AND SHE 1055
3) ASHE sets x 0 = sk PKE , x 1 = sk PKE and is given over Z N and a SHE scheme with message space Z N for
y ← SHE.Enc(x b ) for some randomly chosen N = pq are given. Without loss of generality, we assume
b ∈ {0, 1}. that p > q. To construct hybrid scheme, we use the following
4) ASHE sends ( pk PKE , pk SHE , y) to B1 as a public key two facts:
of Hyb. 1) For binary representation of e = i ei 2i ,
5) B1 chooses x 0 , x 1 and sends them to ASHE . i i i
6) ASHE selects b ← {0, 1} and sends y ← v e = v i ei 2 = v ei 2 = ei v 2 + (1 − ei )v 0
PKE.Enc(x b ) to B2 . i i
7) B2 outputs b ∈ {0, 1} to ASHE as an answer. 2) C RT( p,q) (a, b) = (a·q(q −1 mod p)+ b· p( p−1 mod q))
8) If b = b , ASHE outputs b = 0, otherwise b = 1 is mod N.
output. In Hyb.KG of hybrid scheme, we add encryptions of pi , qi
In this game, if b = 0 then y is a valid encryption of for i = 0, . . . , log p
to the pk Hyb , where ( p − 1)/2 =
sk PKE that matches the public key of PKE contained in pk Hyb .
i pi 2 and (q−1)/2 =
i i
i qi 2 . Since p and q are secret, the
Steps 4) − 7) are identical to the standard game for Hyb.
encryptions of q(q mod p) and p( p−1 mod q) also need to
−1
Then, B will have the advantage AdvB . If b = 1, then y is
be added to the public key of the hybrid scheme.
an encryption of sk PKE that does not match the public key
Now, we run Hyb.Conv algorithm to evaluate the decryp-
pk PKE . In this case, the whole process is identical to the game
tion circuit of GM. Let us consider a GM ciphertext c. Below,
we designed for PKE. Thus, the advantage of ASHE is
we denote SHE.Enc by Enc and homomorphic multiplication
AdvASHE = Pr[Correct guess] − 0.5 and addition of SHE by · and +, respectively.
= Pr[b = 0|Guess 0] + Pr[b = 1|Guess 1] − 0.5 1) To evaluate exponentiation with secret exponent,
compute
= 0.5 · (0.5 + AdvB )+ 0.5 · (0.5−AdvAPKE ) − 0.5
i
= 0.5AdvB − 0.5AdvAPKE c1 = Enc( pi ) · (c2 mod N) + (1 − Enc( pi ))
i
Therefore, if AdvB is non-negligible, either AdvAPKE or i
AdvASHE is non-negligible. c2 = Enc(qi ) · (c2 mod N) + (1 − Enc(qi ))
i
Authorized licensed use limited to: New York University. Downloaded on October 10,2021 at 06:08:24 UTC from IEEE Xplore. Restrictions apply.
1056 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 5, MAY 2015
3) Joye–Libert Encryption: The homomorphic decryption We use the parameters N, p1 , p1 , q1 , q2 and J N as defined
of Joye–Libert encryption is the same as the first part of in Lemma 1. We
remark
that the Jacobi symbol of −1 is
−1
Naccache–Stern decryption if we replace the parameters N, pi , = −1 −1
= −1. Take an element σ ∈ Z× N with
and g by p, 2k , and y, respectively. In this case, we need to use N p1 p2
σ σ ×
SHE with a Z Q message space where Q = 2k N. The degree p1 = p2 = −1. We define a bijective map ι : Z N →
of the decryption circuit is approximately log p · (2k − 1). J N × {0, 1} by
Remark 4: Although the elliptic curve ElGamal cryptosys- m m
tem [14] has a small ciphertext, we do not consider it in this m → (m̂, m̌) = m · , 1− /2 .
N N
paper, since it is difficult to evaluate the inverse map of the
message encoding and the addition of points on the elliptic The EGM = (EGM.KG, EGM.Enc, EGM.Dec) encryp-
curve. tion is as follows:
• EGM.KG(λ): Choose a generator g of J N with order
φ(N)/2 in Z× N and a random e ∈ [0, 4q1 q2 ), and
C. Multiplicative Homomorphic Encryptions compute y ≡ g e mod N. Output a public key pk EGM =
for PKE in the Hybrid Scheme (N, g, y, σ ) and a secret key sk EGM = (e, p1 , p2 ).
We may consider ElGamal encryption [5] as a candidate • EGM.Enc( pk EGM , m): For a plaintext m ∈ Z× N , compute
for a multiplicative PKE in constructing a hybrid scheme. ι(m) = (m̂, m̌) and choose a random r ∈ [0, N 2 )3 and a
An ordinary ElGamal encryption over a ring R has a message random h ∈ Z N . Output a ciphertext c = (c1 , c2 , c3 ) =
space Gq ⊂ R of prime order q. In other words, elements (g −r , m̂ y r , σ m̌ h 2 ).
not in the prime subgroup cannot be securely encrypted under • EGM.Dec(sk EGM , c): Take as input the secret key
ElGamal encryption. It is possible to take all nonzero element sk EGM and a ciphertext c = (c1 , c2 , c3 ) ∈ (Z× N) .
3
in R as a message only when R = F2n for n such that Compute and output a message m ≡ c1 c2 · e
q 2q
2n − 1 is prime, but we cannot use the ElGamal encryption C RT( p1 , p2 ) (c31 , c3 2 ) mod N.
over F2n for PKE. This is because the DLP in an extension The EGM encryption is multiplicatively homomorphic
field with a small characteristic is no longer considered a over Z× N , which covers almost all nonzero element of Z N .
hard problem [1], [11]. Unlike the extension field case, it is q 2q
Note that C RT( p1 , p2 ) (c31 , c3 2 ) = 1 if m̌ is even, and
impossible to construct an ElGamal encryption whose message q 2q
space is a full domain over an integer ring. C RT( p1 , p2 ) (c31 , c3 2 ) = −1 otherwise. From this, the EGM
We propose a new multiplicative homomorphic encryption encryption is correct for an unlimited number of multiplica-
whose message space is Z× tions on encrypted data. Additionally, the EGM encryption is
N , which covers almost all nonzero
elements of Z N . Our scheme is a combination of the ElGamal semantically secure under the DDH assumption over J N and
scheme over Z N [5] and the Goldwasser-Micali encryption the QR assumption over Z N for common N = p1 p2 .
scheme over Z N [10] for a common N = p1 p2 , and the Theorem 2 (Multiplicative Homomorphism): For any posi-
ciphertext consists of three elements in Z× tive integer k, suppose that ci = EGM.Enc( pk EGM , m i ) for
N . We call this the
EGM encryption scheme. all i ∈ [1, k]. Then,
First, we need the following Lemma to construct EGM
k
k
encryption. EGM.Dec(sk EGM , ci ) = mi ,
Lemma 1: Let N = p1 p2 , where p1 = 2q1 + 1 and i=1 i=1
p2 = 4q2 +1 for distinct
a primes p1, p2 , q1 , q2 and q1 , q2 = 2. where the multiplication of two ciphertexts is defined as
Let J N := {a ∈ Z× N | N = 1}. Then, J N is a cyclic subgroup the componentwise product. That is, EGM encryption is
in Z×N of order 4q q
1 2 . multiplicatively homomorphic.
Proof: The order of Z× N is φ(N) = 8q1 q2 , and the order Proof: Suppose that ci := (ci1 , ci2 , ci3 ) =
of J N is φ(N)/2 = 4q1 q2 . A subgroup of order 4q1 q2 in Z× N (gri , m̂ i y ri , σ m̌ i h 2i ) for i ∈ [1, k]. Then
is isomorphic to Z2 ⊕ Z2q1 q2 or Z4q1 q2 , since the group Z× N is
isomorphic to Z× × ∼
p1 ⊕ Z p2 = Z2q1 ⊕ Z4q2 . If there is an element
k
α ∈ Z N of order 4, then J N ∼
×
= Z4q1 q2 and so J N is a cyclic C = (C1 , C2 , C3 ) := ci
group of order 4q1 q2 . i=1
Let us consider generators g1 of order 2q1 in Z× p1 and g2 k
k k k
k
Authorized licensed use limited to: New York University. Downloaded on October 10,2021 at 06:08:24 UTC from IEEE Xplore. Restrictions apply.
CHEON AND KIM: HYBRID SCHEME OF PKE AND SHE 1057
Authorized licensed use limited to: New York University. Downloaded on October 10,2021 at 06:08:24 UTC from IEEE Xplore. Restrictions apply.
1058 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 5, MAY 2015
security parameter. Reducing the degree of exponentiation of The proof of Theorem 4 is straightforward. It has been
secret exponent is a meaningful approach, since the degree verified that the degree of exponentiation is approximately
of the decryption circuit is directly related to the selection of 2 logw e, which is log w times smaller than the original
parameters for SHE. We consider a w-ary (w > 2) representa- method. Using our method, the exponentiation of a large secret
tion of the secret e to reduce the degree of the exponentiation exponent can be homomorphically evaluated with a small
circuits. Using this w-ary representation, there are logw e degree polynomial at a cost of Õ(w) additional public keys
individual terms v ei w , which is fewer than log2 e. However,
i
for an arbitrary integer w.
a(w − 1)-degree polynomial is required to express each v ei w
i
for ei ∈ [0, w − 1] when using Lagrange interpolation. Indeed, B. Improve the Bootstrapping Without Squashing
this increases the degree of exponentiation by e from 2 log e
Gentry and Halevi [8] proposed a new method to construct
to w logw e.
FHE without squashing, called chimeric FHE. The chimeric
Instead of Lagrange interpolation, we use a vector
FHE uses a multiplicative homomorphic encryption (MHE)
representation of ei to reduce the degree in computing v ei w .
i
to bootstrap a SHE without squashing, thereby removing the
First, we expand the secret e in a w-ary representation,
logw e assumption on the hardness of the sparse subset sum problem.
e =
=0 e
w
. Then, v e can be written in the form Gentry and Halevi’s technique in [8] expresses the decryption
n
v e = v
=0 e
w = n
=0 v e
w , where e
∈ [0, w − 1] and of the SHE scheme as a depth-3 ( ) arithmetic circuit.
n = logw e. We define an embedding map π as: They temporarily switchto a ciphertext under MHE, such as
ElGamal, to compute part. Then they homomorphically
π : W −→ Zw evaluate the decryption circuit of MHE to obtain a ciphertext
a −→ fa+1 under SHE. Using their method, SHE only needs to evaluate
the MHE decryption circuit of fixed degree 2 log e, rather
where W := {0, 1, . . . , w − 1} and F := than its own decryption circuit. Using our efficient evaluation
{ f1 , . . . , fw } is the standard basis in Zw . We denote of exponentiation given in Section IV-A, we can reduce the
π(ei ) = (ei0 , . . . , ei(w−1) ) ∈ Zw , where eik ∈ {0, 1} for all degree from 2 log e to 2 logw e. Moreover, our method can
i ∈ [0, n] and k ∈ [0, w − 1]. We also define a vector handle a more general class of SHE whose decryption circuit
vi := (1, v w , v 2w , · · · , v (w−1)w ) ∈ Gw
i i i
q . Then it can easily is a composition of restricted depth-3 circuit and
be verified that v ei w i
=
v i , π(ei ), where ·, · is the ordinary several low depth circuits. By applying our technique, we show
inner product in Zw . To operate this procedure publicly, we that any SHE with a decryption circuit of type [·]q mod p
add encryptions of e
k for all
∈ [0, n], k ∈ [0, w − 1] under can be bootstrapped if it can evaluate degree 2 logw e
SHE to the public key. In fact, wecan omit an encryption circuits.
of ei0 , since ei0 is equal to 1 − w−1 k=1 eik which can be 1) Evaluate Double Modulo Reduction: The bottleneck of
computed homomorphically. the bootstrapping process is the homomorphic computation of
Eval.Exp.Setup( pk SHE , e, w): Take as input a public [·]q mod p. We use the terminology “double modulo reduc-
key pk SHE of SHE, secret exponent e, and expansion tion” to denote [·]q mod p. In general, when the plaintext
parameter w. n is Z2 , the bootstrapping proceeds via bit operations on binary
1) Expand e = i=0 ei w and compute π(ei ) =
i representations of integers. However, it is not easy to bootstrap
(ei0 , . . . , ei(w−1) ) for all i ∈ [0, n], where n = logw e. a ciphertext when the message space is Z p , where p > 2.
2) Output We propose a method to evaluate [·]q mod p homomorphi-
cally for large p using Gentry and Halevi’s idea [8]. As an
Ē e := SHE.Enc(eik ) : i ∈ [0, n], k ∈ [0, w − 1] . application, we present a bootstrapping method of [2] with
sufficiently large message. Since the modulus switching tech-
Eval.Exp( pk SHE , Ē e , w, v): Take as input the public key
nique cannot be used to handle errors of ciphertexts in batch
pk FHE of FHE, set Ē e output by Eval.Exp.Setup and v.
i FHE [2], the selection of parameters for FHE is heavily depen-
1) Encrypt v kw for all i ∈ [0, n], k ∈ [0, w − 1] under dent on the homomorphic capacity of the scheme. Thus our
SHE. improved technique plays an important role in bootstrapping
2) Output ciphertexts.
n w−1
We assume that q is equivalent to 1 modulo p.
i
c := SHE.Enc(eik ) · SHE.Enc(v kw ) . Then [c]q mod p can be written as in the DGHV scheme [22]:
i=0 k=0
[c]q mod p = c − c/q
· q mod p = c − c/q
mod p.
Remark 5: In Step 1, we assume v, w, n are public so that
i
v kw can be evaluated publicly. In comparison with the DGHV scheme, it is hard to express
i
Remark 6: In Step 2, we use the trivial encryption of v kw division by p as a low degree polynomial over Z p when p is
for all i and k, since they contain no secret information. greater than two. To apply the technique in [8], we first modify
Theorem 4 (Correctness): If the division part using Gentry’s squashing technique [7].
Let us consider parameters κ, , θ such that κ = γ η/ρ ,
c ← Eval.Exp( pk SHE , Ē e , w, v), = ω(κ · log λ), and θ = λ, where γ is a bit length of c,
then ve ← SHE.Decsk SHE (c). η is a bit length of q which is larger than ρ = 2λ.
Authorized licensed use limited to: New York University. Downloaded on October 10,2021 at 06:08:24 UTC from IEEE Xplore. Restrictions apply.
CHEON AND KIM: HYBRID SCHEME OF PKE AND SHE 1059
Set x q = 2κ /q
and choose a -bit random vector Lemma 2 [8]: Let Q be a prime with Q > 22 .
s = (s1 , . . . , s ) with Hamming weight θ . Choose a random Regarding the “complicated part” of the decryption circuit,
integer
u i ∈ Z ∩ [0, p · 2κ ) for i = 1, . . . , such that there is f (x)
an univariate polynomial of degree ≤ 22 such
κ κ −n
i si u i = x q (mod p · 2 ). Set yi = u i /2 , which is smaller that f ( i=1 si z i ) = Q i=1 si z i
mod Q.
p with κ precision after the binary point. In addition,
than Lemma 3 [8]: Let T, be positive integers, and f (x) a
[ i si yi ] p = (1/q) − q for some |q | < 2−κ . To bootstrap univariate polynomial over Z Q (for Q prime, Q ≥ T + 1).
a ciphertext c output by a permuted circuit, we first compute Then there is a multilinear symmetric polynomial M f on T
z i ← [c · yi ] p , keeping only n = log2 θ
+ 3 precision after variables such that
the binary point for i = 1, . . . , . That is, [c · yi ] = z i − i
for some i with |i | ≤ 1/16θ . We have f( si z i )
i=1
(c/q) − si z i = M f (s1 , . . . , s1 , 0, . . . , 0, . . . , s , . . . , s , . . . , 0, . . . , 0),
! " ! " ! " ! "
i=1 p z 1 T −z 1
T −z
z
= (c/q) − si [c · yi ] p − si i for all s = (s1 , . . . , s ) ∈ {0, 1} and z 1 , . . . , z
∈ [0, T ].
⎡
i=1 i=1 p⎤ Lemma 4 [8]: Let Q ≥ + 1 be a prime, let A ⊂ Z Q have
cardinality + 1, let x = (x 1 , . . . , x ) be variables, denote
= ⎣(c/q) − c si · yi − si i ⎦ L A = {(a + x i : a ∈ A, 1 ≤ i ≤ }. For every multilinear
i=1 p i=1 symmetric polynomial M( x ) over Z Q , there is a circuit C( x)
p such that:
= (c/q) − c (1/q) − q − si i • C is a L A -restricted depth-3 circuit over Z Q such that
p
i=1 p
C( x ) ≡ M( x ) mod Q.
• C has + 1 product gates of L A -degree , one gate
= c · q − si i . for each value a j ∈ A, with the j -th gate computing the
i=1 p
value λ j i (a j + x i ) for some constant λ j .
• A description of C can be computed efficiently given the
Since the bit length of c is at most 2γ (η−4)/(ρ +2) < 2κ−4 , values M( x ) at all x = 1i 0−i .
have c · q ≤ 1/16. Additionally, it can be observed that
we Thus we obtain the following theorem:
| si i | ≤ θ · 1/16θ = 1/16. Thus, we have Theorem 5: Let q, p be primes such that q > p > 82 .
For any A ⊂ Z p of cardinality at least 82 + 1, the
[c]q mod p = c − c/q
mod p = c− si z i mod p. (1)
double modulo reduction [·]q mod p can be expressed as
To apply the chimeric L A -restricted depth-3 circuit C of L A -degree at most 82
technique
[8], we convert the above
subset sum into a form, as defined as follows: having at most 82 + + 1 product gates. Thus, the double
Definition 8: Let L = {L j (x 1 , . . . , x n )} be a set of polyno- modulo reduction circuit can be evaluated using the chimeric
mials, all in the same n variables. An arithmetic circuit C is technique.
an L-restricted depth-3 circuit over x := (x 1 , . . . , x n ) if there 2) Bootstrapping in [2]: Cheon et al. [2] proposed a FHE
exists multi sets S1 , . . . , St ⊂ L and constants λ0 , λ1 , . . . , λt based on the Chinese remainder theorem. The decryption
such that of the scheme consists of [·] pi mod Q i with i ∈ [1, k].
t Their scheme only achieves “bootstrapping" when all Q i ’s
C( x ) = λ0 + λi · L j (x 1 , . . . , x n ). are two. They raised the problem of evaluating the double
i=1 L j ∈Si modulo reduction [·] pi mod Q i homomorphically when some
of Q i are greater than 2. We can partially solve this problem
The degree of C with respect to L is d = maxi |Si |. with the above technique, and so complete the bootstrap-
Equation (1) can be converted as follows: ping stage for sufficiently large Q i . This gives a FHE that
[c]q mod p ≡ c − c/q mod p deals with large integers. Note that if the Q i ’s are relatively
prime, we can map a plaintext on Z M with M = i Qi
≡ c− c· si z i mod p into i Z Q i , thus enabling large integer arithmetic on Z M .
i=1 In this bootstrapping procedure, our improved technique for
the evaluation of exponentiation plays an important role, since
≡ c− si z i − 2 −n
si z i mod p, the parameters of the FHE are heavily dependent on the
i=1
! "
i=1
! " homomorphic capacity of the scheme. Using our method, the
simple part complicated part homomorphic capacity can be reduced from 2 log e to 2 logw e
at the cost of public key size Õ(w).
where z i = z i + z i · 2−n for integers z i ∈ [0, p) and
z i ≤ 2n ≤ 8. As well as the simple part, the “complicated
part” can be expressed as a L A -restricted depth-3 circuit C, V. D ISCUSSIONS
provided we choose p such that p > 82 by the following We now discuss some typical applications of FHE
lemmas. in database and cloud computing environments and
Authorized licensed use limited to: New York University. Downloaded on October 10,2021 at 06:08:24 UTC from IEEE Xplore. Restrictions apply.
1060 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 5, MAY 2015
analyze the advantages of our hybrid scheme under various scale-invariant FHE based on RLWE allowing multiplicative
scenarios. depth ten in [6] is about 600KB for 80-bit security: the
dimension n is 10067 and the modulus q is a 230-bit integer.
A. Application Model In the above scenario, encryptors (each hospital or client)
can encrypt data using an efficient AES or PKE scheme to
1) Database Encryption: Let us consider the situation
reduce the bandwidth, instead of an inefficient SHE only.
in which a government agency collects medical records of
Ciphertexts of only a few thousand bits are then sent to
patients from a hospital, and extracts some statistical infor-
the database. This could reduce the encryptors’ bandwidth
mation from the records. When lots of data are stored, it
dramatically. When transmitting μ-bit data using the hybrid
becomes more important to protect the data from misuse
scheme of AES and SHE, encryptors need to send encryptions
by insiders or hacking by outsiders. To reduce the risk, the
of their own AES secret key to convert AES ciphertexts into
data may be encrypted prior to storage. Under this sce-
SHE ciphertexts as well as data encryptions. (say, conversion
nario, we give an efficient storage solution using a hybrid
key) Since the size of SHE ciphertext which supports mul-
scheme.
tiplicative depth fifty (forty for decryption of AES and ten
First, the agency generates ( pk Hyb , sk Hyb ) using the
for homomorphic evaluation) is 16MB, the encryptors send
hybrid scheme. The secret key sk Hyb is stored in a secure
an additional 128 × 16MB conversion key.4
area, the public key pk PKE is made public to hospitals,
On the other hand, when using the hybrid scheme of
and pk Hyb is made public to a database. Each hospital
EGM and # μSHE,
$ encryptors only send EGM encryption
uploads its medical records to the database after encryption
of size 1024 ·3072bit to send μ-bit without any addi-
under pk PKE . The agency requests the database to perform
tional conversion key. The conversion key of the EGM
some computations on the patient data to extract infor-
scheme is sent to the server by decryptor (the government
mation. The database performs homomorphic computations
agency).
on the encrypted data using pk Hyb . After evaluating the
After receiving the ciphertext from each encryptor, the
requested computations, the resulting ciphertexts are sent to
server stores and computes on the ciphertexts which contain
the agency. The decryption is carried out in the agency’s secure
secret information of encryptors. The server can reduce the
area.
storage requirement by storing only small AES or PKE
2) Outsourcing of Computations in Cloud Environment:
ciphertexts, instead of large SHE ciphertexts. The server
Suppose that a client who has limited computing power wants
converts these to SHE ciphertexts and performs the necessary
to perform heavy computation on private data. Our hybrid
operations only when required. In the case of hybrid scheme
scheme can be used to protect his privacy, i.e., the computa-
of AES and SHE, the server has to store the conversion
tions of PKE-encrypted data are outsourced along with pk Hyb
key of each clients as well as the public key (containing
to a cloud that has huge computing power and storage. The
evaluation key) to evaluate functions on encrypted data.
cloud performs the outsourced computations, and returns the
In the hybrid scheme of AES and SHE, the public key size
resulting ciphertext encrypted under SHE. Although the fact
is 4n log q = 32MB.5
that the client must send the large-size pk Hyb appears to be a
Let us consider the hybrid scheme of EGM and SHE. The
weakness of our hybrid scheme, this is only a minor concern,
message space of the EGM scheme is Z× N for a 1024-bit
since pk Hyb is sent to the cloud only once in the outsourcing
integer N = pq, and the ciphertext is of the form
procedure.
(C1 , C2 , C3 ) ∈ (Z× N ) . To evaluate the decryption of EGM,
3
Remark 7: Since the client may not trust the cloud, it is
we choose the message space of SHE to be Z N . In scale
desirable that the cloud can prove that the computations on the
invariant SHE based on RLWE [6], we choose the dimension
encrypted data were done correctly. Proof of the correctness
and modulus as follows:
when using only FHE was given in [3]. Further study on this
problem is needed when the hybrid scheme is used to delegate (L(log t + log n + 23) − 8.5)(κ + 110)
n=
the computations. 7.2
log q = L(log t + log n + log log q),
B. Advantages for multiplicative depth L, message space Zt and security
The advantages of using our scheme in the above scenarios parameter κ. Thus, we obtain the ciphertext size of 3GB by
include small bandwidth, reduced storage requirements, and substituting L = 20 and log t = 1024. In this case, we
computational efficiency. In this section, we consider the have to add encryptions of EGM secret key in the public
scale invariant fully homomorphic encryption based on RLWE key to convert EGM ciphertexts into SHE ciphertexts. Since
proposed in [6]. q1 and q2 are 512 bit integers, we add 1024 additional
1) Small Bandwidth and Storage Saving: In a cloud envi- ciphertexts to the public key when using binary expansion of
ronment, each client encrypts their messages using limited 4 We refer parameter analysis of [9]. In state-wise bit-slicing variant of AES
computing power and storage and a server manages the evaluation, they encrypt each bit of AES secret key separately. When the
encrypted data with its large computing power and storage. SHE allows homomorphic multiplications unto depth fifty, the degree n of
the base ring is 51234, and the modulus q is a 1250-bit integer. We can
However, the current FHE’s may not be suited to this envi- obtain 2n log q(= 16MB) size SHE ciphertext.
ronment, because their large ciphertext size entails a large 5 Here, if we use a new key switching technique proposed in [9], the
communication cost. For example, the ciphertext size of evaluation key size is 2n log q.
Authorized licensed use limited to: New York University. Downloaded on October 10,2021 at 06:08:24 UTC from IEEE Xplore. Restrictions apply.
CHEON AND KIM: HYBRID SCHEME OF PKE AND SHE 1061
TABLE I
C OMPARISON B ETWEEN SHE S CHEMES , THE H YBRID S CHEME OF AES W ITH SHE, AND THE H YBRID S CHEME OF EGM W ITH SHE
IN R EGARD TO THE T RANSMITTED C IPHERTEXT S IZE , C IPHERTEXT E XPANSION R ATIO , SHE C IPHERTEXT S IZE ,
P UBLIC K EY S IZE , AND M ULTIPLICATIVE D EPTH OF SHE
q1 and q2 . Therefore, the size of public key is 3TB. If we can and SHE.Dec(a) = SHE.Dec(b) by a ≡ b.
evaluate the modulo N arithmetic under SHE with a smaller
message space, we expect to reduce the size of ciphertext and SHE( f (m 1 , . . . , m n ))
public key of SHE. In the hybrid scheme of EGM and SHE,
≡ SHE(Mi (m 1 , . . . , m n ))
the public key size is much larger. However, differently
i
from the hybrid scheme of AES and SHE, it has an advan-
tage that the server do not need to store each encryptor’s (∵ SHE is additive homomorphic.)
conversion key. ≡ SHE{D(sk, E pk (Mi (m 1 , . . . , m n )))}
Our hybrid scheme of EGM and SHE has more efficient i
bandwidth and storage than the hybrid scheme of AES and
(∵ D ◦ E is an identity)
SHE scheme when more than 1500 encryptors participate in
the above scenario and each encryptor sends data whose size ≡ SHE{D(sk, Mi (E pk (m 1 ), . . . , E pk (m n )))}
is smaller than 1GB.6 i
We summarize the theoretical comparison of the size of (∵ E is multiplicative homomorphic.)
the transmitted ciphertext, SHE-ciphertext and public key
in Table I when each cryptosystem allows homomorphic ≡ D̄(SHE(sk), SHE(Mi (E pk (m 1 ), . . . , E pk (m n )))),
evaluation of depth ten multivariate functions. i
2) Efficient Computing: In our hybrid scheme, we can
where D̄ is the decryption circuit encrypted with SHE
choose an additive or multiplicative homomorphic PKE
and the last equality holds because SHE can evalu-
depending on the property of the circuit we are to eval-
ate D with SHE(sk). More specifically, we follow the
uate. Suppose that the server is to evaluate multivariate
steps:
polynomials f and g, where f has polynomially many
monomials on inputs and g has polynomially many linear 1) Given c1 = E pk (m 1 ), · · · , cn = E pk (m n ), compute
factors. We will use a multiplicative homomorphic PKE in the Mi (c1 , · · · , cn ) = E pk (Mi (m 1 , · · · , m n )) for each i .
first case, and an additive homomorphic PKE in the second 2) Encrypt E pk (Mi (m 1 , · · · , m n )) with SHE and then eval-
case. uate the decryption circuit D̄ with the encrypted secret
First, let us consider key SHE(sk) of E pk . (Observe: one may use trivial
encryption on E pk (Mi ).)
f (x 1 , . . . , x n ) = Mi (x 1 , . . . , x n ), 3) Add them to obtain SHE( f (m 1 , . . . , m n )).
i∈I Now let us consider that the server is to compute a polyno-
which is an n-variable polynomial over a ring R. Each Mi is a mial g(x 1, . . . , x n ) = i∈I L i (x 1 , . . . , x n ) where each L i is
monomial of f . If the degree of f is large, several decryption a linear multivariate factor of g. Suppose that the ciphertexts
or modulus switching procedures are required when using are encrypted under an additive homomorphic encryption E.
ordinary FHE. These are slow, or increase the ciphertext In this case, we follow the steps:
size. However, using our hybrid scheme, we can evaluate f 1) Given c1 = E pk (m 1 ), · · · , cn = E pk (m n ), compute
without bootstrapping, regardless of its degree. Suppose the L i (c1 , · · · , cn ) = E pk (L i (m 1 , · · · , m n )) for each i .
ciphertexts are encrypted under a multiplicative encryption E 2) Encrypt E pk (L i (m 1 , · · · , m n )) with SHE and then eval-
with key ( pk, sk) and SHE can evaluate the decryption uate the decryption circuit D̄ with the encrypted secret
circuit D(sk, ·) of E pk . Given c1 = E pk (m 1 ), . . . , cn = key SHE(sk) of E pk . (Observe: one may use trivial
E pk (m n ), we can compute SHE.Enc( f (m 1 , . . . , m n )) encryption on E pk (L i ).)
with SHE.Enc(sk). Below, we denote SHE.Enc by SHE 3) Multiply them to obtain SHE( f (m 1 , . . . , m n )).
Remark 8: After converting the ciphertexts, we could com-
6 Suppose that m encryptors participate in and each encryptor sends pute them under SHE rather than PKE. Therefore, better use is
k-bit data to the server. Then our approach is more advantageous when made of the hybrid scheme when evaluating fixed multivariate
3TB < (2m)GB and 3k-bit < (2GB + k-bit). polynomials.
Authorized licensed use limited to: New York University. Downloaded on October 10,2021 at 06:08:24 UTC from IEEE Xplore. Restrictions apply.
1062 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 5, MAY 2015
Authorized licensed use limited to: New York University. Downloaded on October 10,2021 at 06:08:24 UTC from IEEE Xplore. Restrictions apply.
CHEON AND KIM: HYBRID SCHEME OF PKE AND SHE 1063
Jung Hee Cheon is currently a Professor Jinsu Kim is currently pursuing the Ph.D. degree
with the Department of Mathematical Sciences, with the Department of Mathematical Sciences,
Seoul National University, Seoul, Korea, and the Seoul National University (SNU), Seoul, Korea.
Director of the Cryptographic Hard Problems He received the B.S. degree in mathematical edu-
Research Initiatives. He received the B.S. and cation from SNU, in 2009. His research interests
Ph.D. degrees in mathematics from the Korea include computational number theory, cryptography,
Advanced Institute of Science and Technology, and information security.
Daejeon, in 1991 and 1997, respectively. After
working as a Senior Researcher with the Elec-
tronics and Telecommunications Research Institute,
Daejeon, and a Visiting Scientist with Brown Uni-
versity, Providence, RI, USA, he was an Assistant Professor with Information
and Communications University, Daejeon, for two years. His research interests
include computational number theory, cryptography, and information security.
He was the Cochair of ICISC, ANTS, and Asiacrypt, and served as a Program
Committee Member of many IACR conferences. He was a recipient of the
best paper award at Asiacrypt in 2008.
Authorized licensed use limited to: New York University. Downloaded on October 10,2021 at 06:08:24 UTC from IEEE Xplore. Restrictions apply.