A Hybrid Scheme of Public-Key Encryption and Somewhat Homomorphic Encryption

1052 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO.
5, MAY 2015
A Hybrid Scheme of Public-Key Encryption and

Somewhat Homomorphic Encryption
Jung Hee Cheon and Jinsu Kim
Abstract— We introduce a hybrid homomorphic encryption computations on the encrypted data and then sends them to
that combines public-key encryption (PKE) and somewhat homo- an agency who has a decryption key for the FHE. This is com-
morphic encryption (SHE) to reduce the storage requirements mon in typical FHE scenarios, such as medical and financial
of most somewhat or fully homomorphic encryption (FHE)
applications. In this model, messages are encrypted with a applications [16]. In this situation, one approach to reduce the
PKE and computations on encrypted data are carried out storage requirement is to use AES encryption to encrypt data,
using SHE or FHE after homomorphic decryption. To obtain and then perform homomorphic computations on ciphertexts
efficient homomorphic decryption, our hybrid scheme combines after converting to FHE-ciphertexts. This method has a great
IND-CPA PKE without complicated message padding with SHE advantage in storage and communication, because only small
with a large integer message space. Furthermore, if the underly-
ing PKE is multiplicative, the proposed scheme has the advantage AES-ciphertexts are transmitted from user to server, and these
that polynomials of arbitrary degree can be evaluated without are homomorphically decrypted only when their homomor-
bootstrapping. We construct this scheme by concatenating the phic computations are required. In an asymmetric setting,
ElGamal and Goldwasser–Micali schemes over a ring Z N for a we can still use this approach by adding several public-key
composite integer N whose message space is Z× N . To accelerate FHE ciphertexts of a session key. However this approach
the homomorphic evaluation of the PKE decryption, we introduce is not practical when the amount of messages transmitted
a method to reduce the degree of the exponentiation circuit at
the cost of additional public keys. Using the same technique, simultaneously is small compared with the size of on FHE
we present an efficient partial solution to an open problem ciphertext. Moreover, the conversion of AES-ciphertexts into
which is to evaluate mod q mod p arithmetic homomorphically FHE-ciphertexts requires a leveled FHE with multiplicative
for large p. As an independent interest, we also obtain a generic depth of at least forty [2], [4], [9].1
method for converting from private-key SHE to public-key SHE. In this paper, we explore an alternative method that encrypts
Unlike the method described by Rothblum, we are free to choose
the SHE message space. messages with a public key encryption (PKE) and converts
Index Terms— ElGamal, Goldwasser–Micali, Naccache-Stern, them into SHE-ciphertexts for homomorphic computations.
hybrid scheme, homomorphic encryption, fully homomorphic In this approach, the ciphertext expansion ratio is only two or
encryption, bootstrapping. three regardless of the message size. Moreover, the decryption
circuit is very shallow when the SHE allows large integers as
I. I NTRODUCTION messages. For example, the decryption circuit of ElGamal over
T HE concept of computation on encrypted data with-

out decryption was first introduced by Rivest, Adleman
and Dertouzos in 1978 [19]. Thirty years later, Gentry pro-
Z N has a multiplicative depth of nine under a SHE with the
message space Z N [8].2 We can reduce the depth further by
representing the secret exponent e as logw e binary vectors of
posed a fully homomorphic encryption (FHE) based on ideal length w, which is an improvement over the Gentry-Halevi
lattices [7]. This scheme is far from being practical because technique [8].
of its large computational cost and large ciphertexts. Since When using additive (resp. multiplicative) homomorphic
then, considerable efforts have been made to devise more encryption as the underlying PKEs, we obtain the addi-
efficient schemes. However, most FHE schemes still have very tional advantage that additions (resp. multiplications) can
large ciphertexts (millions of bits for a single ciphertext). This be computed without converting to SHE. For multiplica-
presents a considerable bottleneck in practical deployments. tive homomorphic encryptions (MHE) in particular, one
We consider the following situation: several users upload can compute SHE( f (m 1 , . . . , m k )) from PKE.Enc(m 1 ), . . . ,
data encrypted with a public-key FHE, a server carries out PKE.Enc(m k ) without (expensive) bootstrapping for any mul-
tivariate polynomial f (x 1 , . . . , x k ) with polynomially many
Manuscript received July 28, 2014; revised November 19, 2014; accepted
January 14, 2015. Date of publication February 2, 2015; date of current terms.
version March 7, 2015. This work was supported by the ICT R&D program
1 In [4], one chooses the bit length of secret key η > ρ + L(log + 9) to
of MSIP/IITP [No.10047212, Development of homomorphic encryption sup-
porting arithmetics on ciphertexts of size less than 1kB and its applications] allow multiplicative depth L homomorphic evaluation. From the parameters
and Samsung Electronics, Co., Ltd. [No. 045020130004]. The associate editor in [4, Sec. 5], we can verify that the multiplicative level L of FHE is about
coordinating the review of this manuscript and approving it for publication forty, when we choose η = 993, ρ = 86, = 28, 125 for homomorphic
was Prof. Shouhuai Xu. evaluation of AES decryption.
The authors are with the Department of Mathematical Sciences, Seoul 2 The decryption of ElGamal encryption consists of exponentiation with
National University, Seoul 151-742, Korea (e-mail: jhcheon@snu.ac.kr; secret 160-bit exponent e. Using the method to evaluate secret exponent e
kjs2002@snu.ac.kr). homomorphically with 2 log e degree in Section III.B.1), one can evaluate the
Digital Object Identifier 10.1109/TIFS.2015.2398359 decryption circuit of ElGamal with SHE of multiplicative depth nine.
1556-6013 © 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: New York University. Downloaded on October 10,2021 at 06:08:24 UTC from IEEE Xplore. Restrictions apply.
CHEON AND KIM: HYBRID SCHEME OF PKE AND SHE 1053
One problem when using MHE in the hybrid scheme is B. Homomorphic Encryption Schemes
that the message space for MHE schemes is not usually Definition 4 (ElGamal Encryption Over a Ring): Let R be
closed under addition. For example, the (IND-CPA) ElGamal a ring. The ElGamal encryption scheme ElG = (ElG.KG,
encryption over a ring R can only take messages with elements ElG.Enc, ElG.Dec) consists of the following algorithms:
in a prime order subgroup, which covers only a small part of R. • ElG.KG(λ): Choose a multiplicative cyclic subgroup Gq
To resolve this, therefore, we construct a MHE whose message of prime order q in R such that the DDH assumption
space is Z×N for an RSA modulus N = p1 p2 . The proposed holds with respect to the security parameter λ. Choose a
scheme is constructed by combining ElGamal encryption generator g of Gq and a random e ∈ [0, q), and compute
over Z× N and Goldwasser-Micali encryption over Z N , and is y = g e . Output a public key pk ElG = (R, Gq , g, y) and
secure under the decisional Diffie–Hellman assumption and a secret key sk ElG = e.
the quadratic residuosity assumption for common N = pq. • ElG.Enc( pk ElG , m): Take as input the public key pk ElG
We remark that our technique solves the open problem and a plaintext m ∈ Gq . Choose a random r ∈ [0, q) and
of [13] when the FHE message space is Z p for large p. compute g −r and m · y r . Output c = (g −r , m · y r ).
We convert the double modulo reduction into a depth-3 circuit, • ElG.Dec(sk ElG , c): Take as input the secret key sk ElG
and then, we apply the technique of [8]. Our improved tech- and a ciphertext c = (v, u) ∈ R 2 . Output m = v e u.
nique plays an important role in this method, as the parameters Definition 5 (Goldwasser–Micali Encryption): The
depend heavily on the homomorphic capacity of FHE. Goldwasser-Micali encryption scheme GM = (GM.KG,
As an independent interest, we also present a generic GM.Enc, GM.Dec) consists of the following algorithms:
method for converting from a private-key SHE to a public-key • GM.KG(λ): Choose random primes p, q and com-
SHE using our hybrid scheme. In this case, the message space pute N = pq such that the 1-QR assumption holds
is Z p for a large integer p > 2 and the public key is the with respect to the security parameter λ. Compute the
encryption of the secret key of a PKE under private-key SHE, quadratic non–residue y modulo N satisfying yp =
which is much smaller than that described in [20].
y
q = −1. Output a public key pk GM = (N, y) and a
secret key sk GM = ( p).
II. P RELIMINARIES
• GM.Enc( pk GM , m): For a plaintext m ∈ {0, 1},
In this section, we introduce some definitions and base choose a random x ∈ Z× N and output a ciphertext
problems needed to prove the security of our schemes. c = y m x 2 mod N.
Notation: For m, n ∈ N, [m, n] and [m, n) denote the sets • GM.Dec(sk GM , c): For a ciphertext c ∈ Z× , if c
=1
N p
{m, m+1, . . . , n−1, n} and {m, m+1, . . . , n−2, n−1}, respec- 2
output 0. Otherwise output 1.
tively. We denote the element in Z∩(− n2 , n2 ] that is equivalent
Definition 6 (Joye–Libert Encryption): The Joye-Libert
n by a mod n or [a]n , and the unique integer in
to amodulo
p p encryption scheme JL = (JL.KG, JL.Enc, JL.Dec) consists
(− i2 i , i2 i ] that is congruent to m i modulo pi for all i
of the following algorithms:
by C RT( p1 ,..., pk ) (m
a1, . . . , m k ). For an integer N,× we use2 sets • JL.KG(λ): Choose an integer k ≥ 1 and random primes
J N := {a ∈ Z× | N = 1} and QR N := {a ∈ Z N |a
= b for
N p and q with p ≡ q ≡ 1 (mod 2k ), and set N = pq
some b ∈ Z× N }. We denote a φ(N)/ p mod N by a
N p. such that the k-QR assumption holds with respect to the
security parameter λ. Choose a random y ∈ J N \QR N .
A. Hard Problems Output a public key pk JL = (N, y, k) and a secret key
sk JL = ( p).
Definition 1 (Decisional Diffie–Hellman Problem Over G): • JL.Enc( pk JL , m): For a plaintext 0 ≤ m < 2k ,
Let G be a group with a generator g of order q. For a given choose a random x ∈ Z× N and output a ciphertext
tuple (g, g a , g b , g c ), the decisional Diffie–Hellman (DDH) k
c = y m x 2 mod N.
problem over G is to determine whether g ab = g c . ×
• JL.Dec(sk
JL , c): For a ciphertext c ∈ Z N , compute
Definition 2 (k-Quadratic Residuosity Problem Over Z N ):
Given an odd composite integer N = pq such that z = cp k and then find and output m ∈ {0, 1}k such
a p ≡ q ≡ 1 2
(mod 2k ) and a ∈ J N where J N := {a ∈ Z× N | N = 1}, the that the relation
k-quadratic residuosity problem (k-QR) over Z N is to deter-
m
y
mine whether a is quadratic residue modulo N. =z (mod p)
p 2k
Definition 3 (Higher Residuosity Problem Over Z N ): For a
given odd composite integer N = pq, an integer d such that holds.
d|( p − 1), and an integer a ∈ Z N , the higher residuosity Remark 1: Note that the case k = 1 corresponds to the
problem (HR) over Z N is to determine whether a is the Goldwasser-Micali cryptosystem.
d-th residue modulo N. Definition 7 (Naccache-Stern Encryption): The
We say that the DDH assumption over Gq holds if no Naccache-Stern encryption scheme NS = (NS.KG,
polynomial time distinguisher can solve the DDH problem NS.Enc, NS.Dec) consists of the following algorithms:
with non-negligible advantage with respect to the security • NS.KG(λ): Choose k p1, . . . , pk ,
k/2random small primes
parameter λ. The k-QR and HR assumptions over Z N are compute u = p
i=1 i and v = i=k/2+1 pi and
defined similarly. set σ = uv. Choose large primes a and b such that
1054 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 5, MAY 2015
p = 2au + 1 and q = 2bv + 1 are prime and set N = pq • Hyb.Conv( pk Hyb , c): Evaluate the decryption circuit
such that the HR assumption holds with respect to the PKE.Dec with pk Hyb . That is, compute and output a
security parameter λ. Choose a random g mod N of ciphertext C, where
order φ(n)/4. Output a public key pk NS = (σ, N, g)
and a secret key sk NS = ( p). C = f Dec SHE.Enc(sk PKE ), SHE.Enc(c) .
• NS.Enc( pk NS , m): For a plaintext m ∈ Zσ , choose • Hyb.Eval( pk Hyb , f, C1 , . . . , Ct ): For a given circuit
x ∈ Z N and output a ciphertext c = x σ g m mod N. f and t ciphertexts C1 , . . . , Ct under SHE, output
• NS.Dec(sk NS , c): For a ciphertext c ∈ Z× N , compute
z = cφ(N)/ pi and find m i such that the relation C = SHE.Eval( pk SHE , f, C1 , . . . , Ct ).

m i
g • Hyb.Dec(sk Hyb , c): For a ciphertext C ∈ C pk SHE , output
= z (mod N)
N pi m = SHE.Dec(sk SHE , C).
holds for each i . Output Remark 2: In the Hyb.Conv algorithm, note that
m = C RT( p1 ,..., pk ) (m 1 , . . . , m k ). C = f Dec (SHE.Enc(sk PKE ), SHE.Enc(c))

= SHE.Enc( f Dec (sk PKE , c)) = SHE.Enc(m),
III. E NCRYPT W ITH PKE AND C OMPUTE W ITH SHE since SHE can evaluate the decryption circuit of
PKE f Dec .
In this section, we describe the concept of a hybrid
Remark 3: In our hybrid scheme, the homomorphic capac-
scheme that combines PKE and SHE. A message is encrypted
ity of SHE at least exceeds the degree of the decryption circuit
using PKE, and converted to a ciphertext under SHE when
f Dec of PKE.
homomorphic computations on the message are needed. The
Theorem 1 (Semantic Security of Hybrid Scheme): If both
ciphertext is decrypted under SHE.
the PKE and the SHE are semantically secure, then so is the
hybrid scheme.
A. A Hybrid Scheme of PKE and SHE Proof: Suppose a polynomial time adversary
Suppose that a client who has limited computation B = (B1 , B2 ) breaks the semantic security of the scheme
capability wants to compute f (m 1 , . . . , m k ) for sensitive with non-negligible advantage. We define the advantage of
messages {m 1 , . . . , m k } and a multivariate polynomial f . adversary B by

The client could outsource the heavy computation to a
AdvB (λ) := Pr B2 (x 0 , x 1 , pk Hyb , y) = b
server that has sufficient computing power. Currently, FHE
is a good way of delegating computations, if we ignore ( pk PKE , sk PKE ) ← PKE.KG, ( pk SHE , sk SHE ) ← SHE.KG,
the client’s bandwidth and the server’s storage. However, (x 0 , x 1 , pk Hyb ) ← B1 ( pk PKE , pk SHE , SHE(sk PKE )),
these are very significant measures in the construction of a

cloud environment, as they are directly connected to the real b ← {0, 1}, y ← PKE.Enc(x b ) − 0.5,
cost.
and denote this by AdvB . We will show that we can use B
The bandwidth and storage requirements can be reduced by
to break either PKE or SHE. We now set up two games for
combining PKE with a small ciphertext size and SHE that can
PKE and SHE.
evaluate the decryption circuit of the PKE, rather than its own
In the game for PKE, the adversary APKE only has access
decryption circuit. We propose a hybrid scheme to improve the
to pk PKE . APKE prepares the following game for B.
efficiency of SHE when used in a cloud computing environ-
1) APKE runs PKE.KG and SHE.KG to obtain
ment. Let PKE = (PKE.KG, PKE.Enc, PKE.Dec) be a PKE
( pk PKE , sk PKE ) and ( pk SHE , sk SHE ).
and SHE = (SHE.KG, SHE.Enc, SHE.Dec, SHE.Eval) be
2) APKE sends ( pk PKE , pk SHE , SHE.Enc(sk PKE )) to B1
a SHE. Suppose that there exists a circuit f Dec such that
as a public key of Hyb.
f Dec (sk, c) = m for all ciphertexts c = PKE.Enc(m) and
3) B1 chooses x 0 , x 1 and sends them to APKE .
secret key sk. We also assume that f Dec can be evaluated
4) APKE selects b ← {0, 1} and sends y ← PKE.Enc(x b )
homomorphically under SHE. The Hybrid scheme of PKE
to B2 .
and SHE consists of the following five algorithms Hyb =
5) B2 outputs b ∈ {0, 1} to APKE as an answer.
(Hyb.KG, Hyb.Enc, Hyb.Conv, Hyb.Eval, Hyb.Dec):
6) APKE outputs b = b .
• Hyb.KG(λ, PKE.KG, SHE.KG): Run PKE.KG and
Steps 2)−6) of this game are identical to the standard game for
SHE.KG to get ( pk PKE , sk PKE , pk SHE , sk SHE ). Output
Hyb with an unmatched pair of pk Hyb and pk PKE . Therefore
pk Hyb = ( pk PKE , pk SHE , SHE.Enc(sk PKE )) AdvAPKE ≤ AdvB .
sk Hyb = (sk SHE ), In the game for SHE, the adversary ASHE only has access
to pk SHE . ASHE prepares the following game for B.
where SHE.Enc(sk PKE ) is an encryption of sk PKE under 1) ASHE runs SHE.KG and SHE.KG to obtain
SHE. ( pk PKE , sk PKE ) and ( pk SHE , sk SHE ).
• Hyb.Enc( pk Hyb , m): For a plaintext m ∈ M pk PKE , output 2) ASHE runs PKE.KG again to get another secret key
c = PKE.Enc( pk PKE , m). sk PKE .
3) ASHE sets x 0 = sk PKE , x 1 = sk PKE and is given over Z N and a SHE scheme with message space Z N for
y ← SHE.Enc(x b ) for some randomly chosen N = pq are given. Without loss of generality, we assume
b ∈ {0, 1}. that p > q. To construct hybrid scheme, we use the following
4) ASHE sends ( pk PKE , pk SHE , y) to B1 as a public key two facts:
of Hyb. 1) For binary representation of e = i ei 2i ,
5) B1 chooses x 0 , x 1 and sends them to ASHE . i i i

6) ASHE selects b ← {0, 1} and sends y ← v e = v i ei 2 = v ei 2 = ei v 2 + (1 − ei )v 0
PKE.Enc(x b ) to B2 . i i
7) B2 outputs b ∈ {0, 1} to ASHE as an answer. 2) C RT( p,q) (a, b) = (a·q(q −1 mod p)+ b· p( p−1 mod q))
8) If b = b , ASHE outputs b = 0, otherwise b = 1 is mod N.
output. In Hyb.KG of hybrid scheme, we add encryptions of pi , qi
In this game, if b = 0 then y is a valid encryption of for i = 0, . . . , log p
to the pk Hyb , where ( p − 1)/2 =
sk PKE that matches the public key of PKE contained in pk Hyb .
i pi 2 and (q−1)/2 =
i i
i qi 2 . Since p and q are secret, the
Steps 4) − 7) are identical to the standard game for Hyb.
encryptions of q(q mod p) and p( p−1 mod q) also need to
−1
Then, B will have the advantage AdvB . If b = 1, then y is
be added to the public key of the hybrid scheme.
an encryption of sk PKE that does not match the public key
Now, we run Hyb.Conv algorithm to evaluate the decryp-
pk PKE . In this case, the whole process is identical to the game
tion circuit of GM. Let us consider a GM ciphertext c. Below,
we designed for PKE. Thus, the advantage of ASHE is
we denote SHE.Enc by Enc and homomorphic multiplication
AdvASHE = Pr[Correct guess] − 0.5 and addition of SHE by · and +, respectively.
= Pr[b = 0|Guess 0] + Pr[b = 1|Guess 1] − 0.5 1) To evaluate exponentiation with secret exponent,
compute
= 0.5 · (0.5 + AdvB )+ 0.5 · (0.5−AdvAPKE ) − 0.5
i
= 0.5AdvB − 0.5AdvAPKE c1 = Enc( pi ) · (c2 mod N) + (1 − Enc( pi ))
i
Therefore, if AdvB is non-negligible, either AdvAPKE or i

AdvASHE is non-negligible. c2 = Enc(qi ) · (c2 mod N) + (1 − Enc(qi ))
i
B. Additive Homomorphic Encryptions 2) To evaluate the Chinese remaindering algorithm,

for PKE in the Hybrid Scheme compute

In constructing a hybrid scheme, candidate c3 = c1 · Enc q(q −1 mod p)
encryptions for an additive homomorphic IND-CPA
PKE include Goldwasser–Micali [10], Paillier [18], + c2 · Enc p( p−1 mod q)
Okamoto–Uchiyama [17], Naccache–Stern [15] and
Joye–Libert [12] encryptions. The decryption circuit of each 3) Finally, we compute c4 = (1 − c3 ) · (2−1 mod N)
system requires additional circuits besides exponentiation, In Step 1), for a given Goldwasser-Micali ciphertext c, we
i
the Chinese remainder algorithm for the Goldwasser–Micali first compute c2 mod N and then perform constant multipli-
i
and Naccache–Stern encryptions, and integer division for the cation and addition under SHE, di := Enc( pi )·(c2 mod N)+
Paillier and Okamoto–Uchiyama encryptions. Because it is (1 − Enc( pi )). After a product of {d0 , . . . , d log p
}, we obtain
difficult to evaluate the integer division part efficiently, the SHE-ciphertext c1 of degree 2 log p
. In Step 2) and 3), the
latter encryptions are unsuitable for the construction of our degree of ciphertext is increased by 1,respectively, and so the
hybrid scheme. Thus we only consider the Goldwasser–Micali, degree of resulting ciphertext c4 is 2 log p
+ 2.
Joye–Libert, and Naccache–Stern encryptions for PKE in the 2) Naccache-Stern Encryption: The decryption of the
hybrid scheme. Naccache–Stern encryption computes z = ( Nc ) pi =
1) Goldwasser-Micali Encryption: The decryption circuit cφ(N)/ pi and find m i by comparing it with [( Ng ) pi ] j for all
of Goldwasser-Micali encryption is as follows:
for
a given j = 0, 1, . . . , ( pi − 1). The message m is recovered by
ciphertext c ∈ Z N , output 0 if p = 1 and q = 1 and
c c computing m = C RT( p1 ,..., pk ) (m 1 , . . . , m k ).
2 2 The only difference from GM scheme is to fine m i by
output 1 otherwise. We can modify the decryption circuit as
follows: searching z in the set {[( Ng ) pi ] j }0≤ j ≤( pi −1) . We use poly-
1. First, compute nomial interpolation to obtain an encryption of m i . That is,
we construct a polynomial f i (x) of degree pi − 1 such that
m = C RT( p,q) (c( p−1)/2, c(q−1)/2 ).
g
k
2. Output m = (1 − m )/2. fi = k (mod N),
N pi
Using the homomorphic evaluation of secret exponentiation
and the Chinese remainder algorithm, it is possible to evaluate for all k ∈ Z pi . We use the same algorithms when evaluating
the decryption circuit of Goldwasser-Micali encryption. z = ( Nc ) pi = cφ(N)/ pi and Chinese remaindering. The degree
We describe a homomorphic decryption method briefly: of the decryption circuit of Naccache–Stern is approximately
Suppose that the Goldwasser–Micali encryption scheme log φ(N) · maxi { pi − 1}.
3) Joye–Libert Encryption: The homomorphic decryption We use the parameters N, p1 , p1 , q1 , q2 and J N as defined
of Joye–Libert encryption is the same as the first part of in Lemma 1. We
remark
that the Jacobi symbol of −1 is
−1
Naccache–Stern decryption if we replace the parameters N, pi , = −1 −1
= −1. Take an element σ ∈ Z× N with
and g by p, 2k , and y, respectively. In this case, we need to use N p1 p2
σ σ ×
SHE with a Z Q message space where Q = 2k N. The degree p1 = p2 = −1. We define a bijective map ι : Z N →
of the decryption circuit is approximately log p · (2k − 1). J N × {0, 1} by
Remark 4: Although the elliptic curve ElGamal cryptosys- m m
tem [14] has a small ciphertext, we do not consider it in this m → (m̂, m̌) = m · , 1− /2 .
N N
paper, since it is difficult to evaluate the inverse map of the
message encoding and the addition of points on the elliptic The EGM = (EGM.KG, EGM.Enc, EGM.Dec) encryp-
curve. tion is as follows:
• EGM.KG(λ): Choose a generator g of J N with order
φ(N)/2 in Z× N and a random e ∈ [0, 4q1 q2 ), and
C. Multiplicative Homomorphic Encryptions compute y ≡ g e mod N. Output a public key pk EGM =
for PKE in the Hybrid Scheme (N, g, y, σ ) and a secret key sk EGM = (e, p1 , p2 ).
We may consider ElGamal encryption [5] as a candidate • EGM.Enc( pk EGM , m): For a plaintext m ∈ Z× N , compute
for a multiplicative PKE in constructing a hybrid scheme. ι(m) = (m̂, m̌) and choose a random r ∈ [0, N 2 )3 and a
An ordinary ElGamal encryption over a ring R has a message random h ∈ Z N . Output a ciphertext c = (c1 , c2 , c3 ) =
space Gq ⊂ R of prime order q. In other words, elements (g −r , m̂ y r , σ m̌ h 2 ).
not in the prime subgroup cannot be securely encrypted under • EGM.Dec(sk EGM , c): Take as input the secret key
ElGamal encryption. It is possible to take all nonzero element sk EGM and a ciphertext c = (c1 , c2 , c3 ) ∈ (Z× N) .
3
in R as a message only when R = F2n for n such that Compute and output a message m ≡ c1 c2 · e
q 2q
2n − 1 is prime, but we cannot use the ElGamal encryption C RT( p1 , p2 ) (c31 , c3 2 ) mod N.
over F2n for PKE. This is because the DLP in an extension The EGM encryption is multiplicatively homomorphic
field with a small characteristic is no longer considered a over Z× N , which covers almost all nonzero element of Z N .
hard problem [1], [11]. Unlike the extension field case, it is q 2q
Note that C RT( p1 , p2 ) (c31 , c3 2 ) = 1 if m̌ is even, and
impossible to construct an ElGamal encryption whose message q 2q
space is a full domain over an integer ring. C RT( p1 , p2 ) (c31 , c3 2 ) = −1 otherwise. From this, the EGM
We propose a new multiplicative homomorphic encryption encryption is correct for an unlimited number of multiplica-
whose message space is Z× tions on encrypted data. Additionally, the EGM encryption is
N , which covers almost all nonzero
elements of Z N . Our scheme is a combination of the ElGamal semantically secure under the DDH assumption over J N and
scheme over Z N [5] and the Goldwasser-Micali encryption the QR assumption over Z N for common N = p1 p2 .
scheme over Z N [10] for a common N = p1 p2 , and the Theorem 2 (Multiplicative Homomorphism): For any posi-
ciphertext consists of three elements in Z× tive integer k, suppose that ci = EGM.Enc( pk EGM , m i ) for
N . We call this the
EGM encryption scheme. all i ∈ [1, k]. Then,
First, we need the following Lemma to construct EGM
k
k
encryption. EGM.Dec(sk EGM , ci ) = mi ,
Lemma 1: Let N = p1 p2 , where p1 = 2q1 + 1 and i=1 i=1
p2 = 4q2 +1 for distinct
a primes p1, p2 , q1 , q2 and q1 , q2 = 2. where the multiplication of two ciphertexts is defined as
Let J N := {a ∈ Z× N | N = 1}. Then, J N is a cyclic subgroup the componentwise product. That is, EGM encryption is
in Z×N of order 4q q
1 2 . multiplicatively homomorphic.
Proof: The order of Z× N is φ(N) = 8q1 q2 , and the order Proof: Suppose that ci := (ci1 , ci2 , ci3 ) =
of J N is φ(N)/2 = 4q1 q2 . A subgroup of order 4q1 q2 in Z× N (gri , m̂ i y ri , σ m̌ i h 2i ) for i ∈ [1, k]. Then
is isomorphic to Z2 ⊕ Z2q1 q2 or Z4q1 q2 , since the group Z× N is
isomorphic to Z× × ∼
p1 ⊕ Z p2 = Z2q1 ⊕ Z4q2 . If there is an element
k
α ∈ Z N of order 4, then J N ∼
×
= Z4q1 q2 and so J N is a cyclic C = (C1 , C2 , C3 ) := ci
group of order 4q1 q2 . i=1
Let us consider generators g1 of order 2q1 in Z× p1 and g2 k
k k k
k
of order 4q2 in Z× = (g − i=1 ri , m̂ i y i=1 ri ,σ i=1 m̌ i

h 2i )
p2 and the map
i=1 i=1
×
C RT( p1 , p2 ) : Z× ×
p1 × Z p2 → Z N . k
We remark that if i=1 m̌ i is even, then
q 2q
q q
Let α := C RT( p1 , p2 ) (g1 1 , g2 2 ). Then we can easily verify that C RT( p1 , p2 ) (C3 1 , C3 2 ) = 1 and ki=1 ( mNi ) = 1. Otherwise,
k m i
the order of α is 4. In addition, q 2q
C RT( p1 , p2 ) (C3 1 , C3 2 ) = −1 and i=1 ( N ) = −1.
q q
α α α g1 1 g2 2 3 The statistical distance between D and D is at most 1/N , where
= = = (−1) · (−1) = 1. 1 2
N p1 p2 p1 p2 D1 := {choose r ← [0, N 2 ) : output r mod φ(N )} and D2 := {choose
r ← [0, φ(N )) : output r}. In fact, we can choose N 1+
for some
> 0
Therefore J N ∼
= Z4q1 q2 if q1 , q2 = 2. instead of N 2 .
Thus, we obtain Thus the advantage of the attacker in Game0 is

q 2q negligible under DDH assumption over J N and QR assumption
C1e C2 · C RT( p1 , p2 ) (C3 1 , C3 2 )
over Z N .
k 1) Encryption of Zero: Since the EGM scheme has the
q 2q
= m̂ i · C RT( p1 , p2 ) (C3 1 , C3 2 ) message space Z× N , we cannot encrypt zero or any multiples of
i=1
p1 or p2 in Z N . As the probability of an encryptor choosing

k m the multiples of p1 or p2 is negligible, we are only concerned
i q 2q
= mi · C RT( p1 , p2 ) (C3 1 , C3 2 ) with zero message.
N
i=1
Borrowing an idea in [21], we can modify the scheme by

k
appending λ Goldwasser–Micali encryptions of an encoding
= mi (mod N).
defined by 0 → r ∈ R {0, 1}λ and 1 → 0λ ∈ {0, 1}λ for
2λ security. The ciphertext of the modified EGM scheme is of
i=1
Theorem 3 (Semantic Security): The EGM scheme is the form (g −r , m̂ y r , h 2 σ m̌ , GM.Enc(r1 ), . . . , GM.Enc(rλ )),
semantically secure under the DDH assumption over J N and where (r1 , . . . , rλ ) = (0, . . . , 0) for a nonzero message
the QR assumption over Z N . m ∈ Z× N and a random λ-bit element for the zero element.
Proof of Theorem 3: Under the attacker scenario, the Note that m̂ and m̌ can be taken arbitrary from Z× N when
attacker first receives a public key of the encryption scheme, m = 0. The random (r1 , . . . , rλ ) in the appended ciphertext is
and outputs a message m 0 , m 1 ∈ Z N . The challenger returns preserved under multiplications with 1 − 2−λ probability. The
an encryption of m b for a randomly chosen bit b. Finally, the decryption algorithm is similar to the original EGM using a
λ λ
attacker outputs a guess b and succeeds if b = b . We use polynomial f (r1 , . . . , rλ ) = (−1)λ! i=1 (r1 + · · · + rλ − i ).
hybrid argument to prove semantic security. We use a sequence 2) EGM Encryption: The decryption circuit of EGM
of games and denote Si the event that the attacker succeeds encryption consists of three secret exponentiations, two multi-
in Gamei . plications and one Chinese remaindering algorithm. Similar
Game0 : This is the original attack scenario. That is, we to the Goldwasser–Micali encryption, we can evaluate the
simulate the challenger by running EGM.KG to obtain a public decryption circuit of degree log e + log p1 (≈ λ2 ). The
key pk 0 = (N, g, y, σ ) and a secret key sk 0 = (e, p1 , p2 ). message space of EGM is Z× N and the ciphertext space
Game1 : This game is the same as Game0 , except for is (Z×N ) 3 . Thus we choose the message space of SHE to be
the following modification to the key generation. Instead of Z N to construct the hybrid scheme.
choosing σ ∈ Z× σ σ
N with ( p1 ) = ( p2 ) = −1, we choose
it as σ = t 2 for a randomly chosen t from Z N . That is, IV. H OMOMORPHIC E VALUATION OF E XPONENTIATION
pk1 = (N, g, y, σ ). To enhance the performance of the hybrid scheme, we
It is clear that any significant difference between Pr[S0 ] must evaluate a modular exponentiation by a secret expo-
and Pr[S1 ] leads immediately to an effective statistical test for nent efficiently; this is related to the decryption circuit of
solving the QR problem over Z N . Thus we obtain Goldwasser–Micali, Naccache–Stern, Joye–Libert and EGM
|Pr[S0 ] − Pr[S1 ]| ≤ AdvQR , encryptions. Actually, this problem has been dealt with by
Gentry and Halevi [8] in evaluating the depth-3 decryption cir-
where AdvQR denotes the advantage in solving QR problem cuit of the form . Their idea is to express the secret key e
over Z N . of the ElGamal encryption as a binary representation, and
Game2 : This game is the same as Game1 , except for the then convert the exponentiation into a multivariate polynomial.
following modification to the encryption of m b . Instead of In their approach, the ElGamal decryption circuit is repre-
encrypting a m b as c = (g −r , m̂ b y r , σ m̌ b h 2 ), we compute sented by a 4λ–degree polynomial that is too large to evaluate
c = (g −r , u, σ m̌ b h 2 ) for randomly chosen r ∈ [0, N 2 ), efficiently, where λ is the security parameter. We present an
h ∈ Z N and u ∈ J N and send c to the attacker as a challenge improved algorithm to evaluate an exponentiation with a small
ciphertext. degree multivariate polynomial.
It is also clear that any significant difference between Pr[S1 ]
and Pr[S2 ] leads immediately to an effective statistical test for A. Improved Exponentiation Using Vector Decomposition
solving the DDH problem over J N . Thus
Gentry and Halevi [8] first proposed a method to homomor-
|Pr[S1 ] − Pr[S2 ]| ≤ AdvDDH , phically evaluate an exponentiation using a secret exponent.
They expand the secret key e of ElGamal encryption as a
where AdvDDH denotes the advantage in solving DDH prob- binary representation e = i ei 2 , with ei ∈ {0, 1}, and
i
lem over J N . compute v as follows:
e
Since the challenge ciphertext c in Game2 is independent
i i
from message m b , Pr[S2 ] is 1/2. Thus we obtain that v e = v i ei 2 = v ei 2 .

i
Pr[S0 ] − 1 = |Pr[S0 ] − Pr[S2 ]|
2 They use the Lagrange interpolation to compute v ei 2 , that is,
i
≤ |Pr[S0 ] − Pr[S1 ]| + |Pr[S1 ] − Pr[S2 ]| i i

v ei 2 = ei v 2 + (1 − ei )v 0 . The degree of their exponentiation
≤ AdvQR + AdvDDH . circuit is approximately 2 log e (≈ 4λ), where λ is the
security parameter. Reducing the degree of exponentiation of The proof of Theorem 4 is straightforward. It has been
secret exponent is a meaningful approach, since the degree verified that the degree of exponentiation is approximately
of the decryption circuit is directly related to the selection of 2 logw e, which is log w times smaller than the original
parameters for SHE. We consider a w-ary (w > 2) representa- method. Using our method, the exponentiation of a large secret
tion of the secret e to reduce the degree of the exponentiation exponent can be homomorphically evaluated with a small
circuits. Using this w-ary representation, there are logw e degree polynomial at a cost of Õ(w) additional public keys
individual terms v ei w , which is fewer than log2 e. However,
i
for an arbitrary integer w.
a(w − 1)-degree polynomial is required to express each v ei w
i
for ei ∈ [0, w − 1] when using Lagrange interpolation. Indeed, B. Improve the Bootstrapping Without Squashing
this increases the degree of exponentiation by e from 2 log e
Gentry and Halevi [8] proposed a new method to construct
to w logw e.
FHE without squashing, called chimeric FHE. The chimeric
Instead of Lagrange interpolation, we use a vector
FHE uses a multiplicative homomorphic encryption (MHE)
representation of ei to reduce the degree in computing v ei w .
i
to bootstrap a SHE without squashing, thereby removing the
First, we expand the secret e in a w-ary representation,
logw e assumption on the hardness of the sparse subset sum problem.
e = =0 e w . Then, v e can be written in the form Gentry and Halevi’s technique in [8] expresses the decryption
n
v e = v =0 e w = n =0 v e w , where e ∈ [0, w − 1] and of the SHE scheme as a depth-3 ( ) arithmetic circuit.
n = logw e. We define an embedding map π as: They temporarily switchto a ciphertext under MHE, such as
ElGamal, to compute part. Then they homomorphically
π : W −→ Zw evaluate the decryption circuit of MHE to obtain a ciphertext
a −→ fa+1 under SHE. Using their method, SHE only needs to evaluate
the MHE decryption circuit of fixed degree 2 log e, rather
where W := {0, 1, . . . , w − 1} and F := than its own decryption circuit. Using our efficient evaluation
{ f1 , . . . , fw } is the standard basis in Zw . We denote of exponentiation given in Section IV-A, we can reduce the
π(ei ) = (ei0 , . . . , ei(w−1) ) ∈ Zw , where eik ∈ {0, 1} for all degree from 2 log e to 2 logw e. Moreover, our method can
i ∈ [0, n] and k ∈ [0, w − 1]. We also define a vector handle a more general class of SHE whose decryption circuit

vi := (1, v w , v 2w , · · · , v (w−1)w ) ∈ Gw
i i i
q . Then it can easily is a composition of restricted depth-3 circuit and
be verified that v ei w i
=
v i , π(ei ), where ·, · is the ordinary several low depth circuits. By applying our technique, we show
inner product in Zw . To operate this procedure publicly, we that any SHE with a decryption circuit of type [·]q mod p
add encryptions of e k for all ∈ [0, n], k ∈ [0, w − 1] under can be bootstrapped if it can evaluate degree 2 logw e
SHE to the public key. In fact, wecan omit an encryption circuits.
of ei0 , since ei0 is equal to 1 − w−1 k=1 eik which can be 1) Evaluate Double Modulo Reduction: The bottleneck of
computed homomorphically. the bootstrapping process is the homomorphic computation of
Eval.Exp.Setup( pk SHE , e, w): Take as input a public [·]q mod p. We use the terminology “double modulo reduc-
key pk SHE of SHE, secret exponent e, and expansion tion” to denote [·]q mod p. In general, when the plaintext
parameter w. n is Z2 , the bootstrapping proceeds via bit operations on binary
1) Expand e = i=0 ei w and compute π(ei ) =
i representations of integers. However, it is not easy to bootstrap
(ei0 , . . . , ei(w−1) ) for all i ∈ [0, n], where n = logw e. a ciphertext when the message space is Z p , where p > 2.
2) Output We propose a method to evaluate [·]q mod p homomorphi-
cally for large p using Gentry and Halevi’s idea [8]. As an
Ē e := SHE.Enc(eik ) : i ∈ [0, n], k ∈ [0, w − 1] . application, we present a bootstrapping method of [2] with
sufficiently large message. Since the modulus switching tech-
Eval.Exp( pk SHE , Ē e , w, v): Take as input the public key
nique cannot be used to handle errors of ciphertexts in batch
pk FHE of FHE, set Ē e output by Eval.Exp.Setup and v.
i FHE [2], the selection of parameters for FHE is heavily depen-
1) Encrypt v kw for all i ∈ [0, n], k ∈ [0, w − 1] under dent on the homomorphic capacity of the scheme. Thus our
SHE. improved technique plays an important role in bootstrapping
2) Output ciphertexts.
n w−1
We assume that q is equivalent to 1 modulo p.
i
c := SHE.Enc(eik ) · SHE.Enc(v kw ) . Then [c]q mod p can be written as in the DGHV scheme [22]:
i=0 k=0
[c]q mod p = c − c/q
· q mod p = c − c/q
mod p.
Remark 5: In Step 1, we assume v, w, n are public so that
i
v kw can be evaluated publicly. In comparison with the DGHV scheme, it is hard to express
i
Remark 6: In Step 2, we use the trivial encryption of v kw division by p as a low degree polynomial over Z p when p is
for all i and k, since they contain no secret information. greater than two. To apply the technique in [8], we first modify
Theorem 4 (Correctness): If the division part using Gentry’s squashing technique [7].
Let us consider parameters κ, , θ such that κ = γ η/ρ ,
c ← Eval.Exp( pk SHE , Ē e , w, v), = ω(κ · log λ), and θ = λ, where γ is a bit length of c,
then ve ← SHE.Decsk SHE (c). η is a bit length of q which is larger than ρ = 2λ.
Set x q = 2κ /q
and choose a -bit random vector Lemma 2 [8]: Let Q be a prime with Q > 22 .
s = (s1 , . . . , s ) with Hamming weight θ . Choose a random Regarding the “complicated part” of the decryption circuit,
integer
u i ∈ Z ∩ [0, p · 2κ ) for i = 1, . . . , such that there is f (x)
an univariate polynomial of degree ≤ 22 such
κ κ −n
i si u i = x q (mod p · 2 ). Set yi = u i /2 , which is smaller that f ( i=1 si z i ) = Q i=1 si z i
mod Q.
p with κ precision after the binary point. In addition,
than Lemma 3 [8]: Let T, be positive integers, and f (x) a
[ i si yi ] p = (1/q) − q for some |q | < 2−κ . To bootstrap univariate polynomial over Z Q (for Q prime, Q ≥ T + 1).
a ciphertext c output by a permuted circuit, we first compute Then there is a multilinear symmetric polynomial M f on T
z i ← [c · yi ] p , keeping only n = log2 θ
+ 3 precision after variables such that
the binary point for i = 1, . . . , . That is, [c · yi ] = z i − i

for some i with |i | ≤ 1/16θ . We have f( si z i )

i=1
(c/q) − si z i = M f (s1 , . . . , s1 , 0, . . . , 0, . . . , s , . . . , s , . . . , 0, . . . , 0),
! " ! " ! " ! "
i=1 p z 1 T −z 1
T −z

z

= (c/q) − si [c · yi ] p − si i for all s = (s1 , . . . , s ) ∈ {0, 1} and z 1 , . . . , z
∈ [0, T ].
⎡
i=1 i=1 p⎤ Lemma 4 [8]: Let Q ≥ + 1 be a prime, let A ⊂ Z Q have

cardinality + 1, let x = (x 1 , . . . , x ) be variables, denote

= ⎣(c/q) − c si · yi − si i ⎦ L A = {(a + x i : a ∈ A, 1 ≤ i ≤ }. For every multilinear
i=1 p i=1 symmetric polynomial M( x ) over Z Q , there is a circuit C( x)

p such that:

= (c/q) − c (1/q) − q − si i • C is a L A -restricted depth-3 circuit over Z Q such that
p
i=1 p
C( x ) ≡ M( x ) mod Q.

• C has + 1 product gates of L A -degree , one gate

= c · q − si i . for each value a j ∈ A, with the j -th gate computing the
i=1 p
value λ j i (a j + x i ) for some constant λ j .

• A description of C can be computed efficiently given the
Since the bit length of c is at most 2γ (η−4)/(ρ +2) < 2κ−4 , values M( x ) at all x = 1i 0−i .
have c · q ≤ 1/16. Additionally, it can be observed that
we Thus we obtain the following theorem:
| si i | ≤ θ · 1/16θ = 1/16. Thus, we have Theorem 5: Let q, p be primes such that q > p > 82 .
For any A ⊂ Z p of cardinality at least 82 + 1, the
[c]q mod p = c − c/q
mod p = c− si z i mod p. (1)
double modulo reduction [·]q mod p can be expressed as
To apply the chimeric L A -restricted depth-3 circuit C of L A -degree at most 82
technique
[8], we convert the above
subset sum into a form, as defined as follows: having at most 82 + + 1 product gates. Thus, the double
Definition 8: Let L = {L j (x 1 , . . . , x n )} be a set of polyno- modulo reduction circuit can be evaluated using the chimeric
mials, all in the same n variables. An arithmetic circuit C is technique.
an L-restricted depth-3 circuit over x := (x 1 , . . . , x n ) if there 2) Bootstrapping in [2]: Cheon et al. [2] proposed a FHE
exists multi sets S1 , . . . , St ⊂ L and constants λ0 , λ1 , . . . , λt based on the Chinese remainder theorem. The decryption
such that of the scheme consists of [·] pi mod Q i with i ∈ [1, k].
t Their scheme only achieves “bootstrapping" when all Q i ’s
C( x ) = λ0 + λi · L j (x 1 , . . . , x n ). are two. They raised the problem of evaluating the double
i=1 L j ∈Si modulo reduction [·] pi mod Q i homomorphically when some
of Q i are greater than 2. We can partially solve this problem
The degree of C with respect to L is d = maxi |Si |. with the above technique, and so complete the bootstrap-
Equation (1) can be converted as follows: ping stage for sufficiently large Q i . This gives a FHE that
[c]q mod p ≡ c − c/q mod p deals with large integers. Note that if the Q i ’s are relatively

prime, we can map a plaintext on Z M with M = i Qi
≡ c− c· si z i mod p into i Z Q i , thus enabling large integer arithmetic on Z M .
i=1 In this bootstrapping procedure, our improved technique for

the evaluation of exponentiation plays an important role, since
≡ c− si z i − 2 −n
si z i mod p, the parameters of the FHE are heavily dependent on the

i=1
! "
i=1
! " homomorphic capacity of the scheme. Using our method, the
simple part complicated part homomorphic capacity can be reduced from 2 log e to 2 logw e
at the cost of public key size Õ(w).
where z i = z i + z i · 2−n for integers z i ∈ [0, p) and
z i ≤ 2n ≤ 8. As well as the simple part, the “complicated
part” can be expressed as a L A -restricted depth-3 circuit C, V. D ISCUSSIONS
provided we choose p such that p > 82 by the following We now discuss some typical applications of FHE
lemmas. in database and cloud computing environments and
analyze the advantages of our hybrid scheme under various scale-invariant FHE based on RLWE allowing multiplicative
scenarios. depth ten in [6] is about 600KB for 80-bit security: the
dimension n is 10067 and the modulus q is a 230-bit integer.
A. Application Model In the above scenario, encryptors (each hospital or client)
can encrypt data using an efficient AES or PKE scheme to
1) Database Encryption: Let us consider the situation
reduce the bandwidth, instead of an inefficient SHE only.
in which a government agency collects medical records of
Ciphertexts of only a few thousand bits are then sent to
patients from a hospital, and extracts some statistical infor-
the database. This could reduce the encryptors’ bandwidth
mation from the records. When lots of data are stored, it
dramatically. When transmitting μ-bit data using the hybrid
becomes more important to protect the data from misuse
scheme of AES and SHE, encryptors need to send encryptions
by insiders or hacking by outsiders. To reduce the risk, the
of their own AES secret key to convert AES ciphertexts into
data may be encrypted prior to storage. Under this sce-
SHE ciphertexts as well as data encryptions. (say, conversion
nario, we give an efficient storage solution using a hybrid
key) Since the size of SHE ciphertext which supports mul-
scheme.
tiplicative depth fifty (forty for decryption of AES and ten
First, the agency generates ( pk Hyb , sk Hyb ) using the
for homomorphic evaluation) is 16MB, the encryptors send
hybrid scheme. The secret key sk Hyb is stored in a secure
an additional 128 × 16MB conversion key.4
area, the public key pk PKE is made public to hospitals,
On the other hand, when using the hybrid scheme of
and pk Hyb is made public to a database. Each hospital
EGM and # μSHE,
$ encryptors only send EGM encryption
uploads its medical records to the database after encryption
of size 1024 ·3072bit to send μ-bit without any addi-
under pk PKE . The agency requests the database to perform
tional conversion key. The conversion key of the EGM
some computations on the patient data to extract infor-
scheme is sent to the server by decryptor (the government
mation. The database performs homomorphic computations
agency).
on the encrypted data using pk Hyb . After evaluating the
After receiving the ciphertext from each encryptor, the
requested computations, the resulting ciphertexts are sent to
server stores and computes on the ciphertexts which contain
the agency. The decryption is carried out in the agency’s secure
secret information of encryptors. The server can reduce the
area.
storage requirement by storing only small AES or PKE
2) Outsourcing of Computations in Cloud Environment:
ciphertexts, instead of large SHE ciphertexts. The server
Suppose that a client who has limited computing power wants
converts these to SHE ciphertexts and performs the necessary
to perform heavy computation on private data. Our hybrid
operations only when required. In the case of hybrid scheme
scheme can be used to protect his privacy, i.e., the computa-
of AES and SHE, the server has to store the conversion
tions of PKE-encrypted data are outsourced along with pk Hyb
key of each clients as well as the public key (containing
to a cloud that has huge computing power and storage. The
evaluation key) to evaluate functions on encrypted data.
cloud performs the outsourced computations, and returns the
In the hybrid scheme of AES and SHE, the public key size
resulting ciphertext encrypted under SHE. Although the fact
is 4n log q = 32MB.5
that the client must send the large-size pk Hyb appears to be a
Let us consider the hybrid scheme of EGM and SHE. The
weakness of our hybrid scheme, this is only a minor concern,
message space of the EGM scheme is Z× N for a 1024-bit
since pk Hyb is sent to the cloud only once in the outsourcing
integer N = pq, and the ciphertext is of the form
procedure.
(C1 , C2 , C3 ) ∈ (Z× N ) . To evaluate the decryption of EGM,
3
Remark 7: Since the client may not trust the cloud, it is
we choose the message space of SHE to be Z N . In scale
desirable that the cloud can prove that the computations on the
invariant SHE based on RLWE [6], we choose the dimension
encrypted data were done correctly. Proof of the correctness
and modulus as follows:
when using only FHE was given in [3]. Further study on this
problem is needed when the hybrid scheme is used to delegate (L(log t + log n + 23) − 8.5)(κ + 110)
n=
the computations. 7.2
log q = L(log t + log n + log log q),
B. Advantages for multiplicative depth L, message space Zt and security
The advantages of using our scheme in the above scenarios parameter κ. Thus, we obtain the ciphertext size of 3GB by
include small bandwidth, reduced storage requirements, and substituting L = 20 and log t = 1024. In this case, we
computational efficiency. In this section, we consider the have to add encryptions of EGM secret key in the public
scale invariant fully homomorphic encryption based on RLWE key to convert EGM ciphertexts into SHE ciphertexts. Since
proposed in [6]. q1 and q2 are 512 bit integers, we add 1024 additional
1) Small Bandwidth and Storage Saving: In a cloud envi- ciphertexts to the public key when using binary expansion of
ronment, each client encrypts their messages using limited 4 We refer parameter analysis of [9]. In state-wise bit-slicing variant of AES
computing power and storage and a server manages the evaluation, they encrypt each bit of AES secret key separately. When the
encrypted data with its large computing power and storage. SHE allows homomorphic multiplications unto depth fifty, the degree n of
the base ring is 51234, and the modulus q is a 1250-bit integer. We can
However, the current FHE’s may not be suited to this envi- obtain 2n log q(= 16MB) size SHE ciphertext.
ronment, because their large ciphertext size entails a large 5 Here, if we use a new key switching technique proposed in [9], the
communication cost. For example, the ciphertext size of evaluation key size is 2n log q.
TABLE I
C OMPARISON B ETWEEN SHE S CHEMES , THE H YBRID S CHEME OF AES W ITH SHE, AND THE H YBRID S CHEME OF EGM W ITH SHE
IN R EGARD TO THE T RANSMITTED C IPHERTEXT S IZE , C IPHERTEXT E XPANSION R ATIO , SHE C IPHERTEXT S IZE ,
P UBLIC K EY S IZE , AND M ULTIPLICATIVE D EPTH OF SHE
q1 and q2 . Therefore, the size of public key is 3TB. If we can and SHE.Dec(a) = SHE.Dec(b) by a ≡ b.
evaluate the modulo N arithmetic under SHE with a smaller
message space, we expect to reduce the size of ciphertext and SHE( f (m 1 , . . . , m n ))
public key of SHE. In the hybrid scheme of EGM and SHE,
≡ SHE(Mi (m 1 , . . . , m n ))
the public key size is much larger. However, differently
i
from the hybrid scheme of AES and SHE, it has an advan-
tage that the server do not need to store each encryptor’s (∵ SHE is additive homomorphic.)

conversion key. ≡ SHE{D(sk, E pk (Mi (m 1 , . . . , m n )))}
Our hybrid scheme of EGM and SHE has more efficient i
bandwidth and storage than the hybrid scheme of AES and
(∵ D ◦ E is an identity)
SHE scheme when more than 1500 encryptors participate in
the above scenario and each encryptor sends data whose size ≡ SHE{D(sk, Mi (E pk (m 1 ), . . . , E pk (m n )))}
is smaller than 1GB.6 i
We summarize the theoretical comparison of the size of (∵ E is multiplicative homomorphic.)
the transmitted ciphertext, SHE-ciphertext and public key
in Table I when each cryptosystem allows homomorphic ≡ D̄(SHE(sk), SHE(Mi (E pk (m 1 ), . . . , E pk (m n )))),
evaluation of depth ten multivariate functions. i
2) Efficient Computing: In our hybrid scheme, we can
where D̄ is the decryption circuit encrypted with SHE
choose an additive or multiplicative homomorphic PKE
and the last equality holds because SHE can evalu-
depending on the property of the circuit we are to eval-
ate D with SHE(sk). More specifically, we follow the
uate. Suppose that the server is to evaluate multivariate
steps:
polynomials f and g, where f has polynomially many
monomials on inputs and g has polynomially many linear 1) Given c1 = E pk (m 1 ), · · · , cn = E pk (m n ), compute
factors. We will use a multiplicative homomorphic PKE in the Mi (c1 , · · · , cn ) = E pk (Mi (m 1 , · · · , m n )) for each i .
first case, and an additive homomorphic PKE in the second 2) Encrypt E pk (Mi (m 1 , · · · , m n )) with SHE and then eval-
case. uate the decryption circuit D̄ with the encrypted secret
First, let us consider key SHE(sk) of E pk . (Observe: one may use trivial
encryption on E pk (Mi ).)
f (x 1 , . . . , x n ) = Mi (x 1 , . . . , x n ), 3) Add them to obtain SHE( f (m 1 , . . . , m n )).
i∈I Now let us consider that the server is to compute a polyno-
which is an n-variable polynomial over a ring R. Each Mi is a mial g(x 1, . . . , x n ) = i∈I L i (x 1 , . . . , x n ) where each L i is
monomial of f . If the degree of f is large, several decryption a linear multivariate factor of g. Suppose that the ciphertexts
or modulus switching procedures are required when using are encrypted under an additive homomorphic encryption E.
ordinary FHE. These are slow, or increase the ciphertext In this case, we follow the steps:
size. However, using our hybrid scheme, we can evaluate f 1) Given c1 = E pk (m 1 ), · · · , cn = E pk (m n ), compute
without bootstrapping, regardless of its degree. Suppose the L i (c1 , · · · , cn ) = E pk (L i (m 1 , · · · , m n )) for each i .
ciphertexts are encrypted under a multiplicative encryption E 2) Encrypt E pk (L i (m 1 , · · · , m n )) with SHE and then eval-
with key ( pk, sk) and SHE can evaluate the decryption uate the decryption circuit D̄ with the encrypted secret
circuit D(sk, ·) of E pk . Given c1 = E pk (m 1 ), . . . , cn = key SHE(sk) of E pk . (Observe: one may use trivial
E pk (m n ), we can compute SHE.Enc( f (m 1 , . . . , m n )) encryption on E pk (L i ).)
with SHE.Enc(sk). Below, we denote SHE.Enc by SHE 3) Multiply them to obtain SHE( f (m 1 , . . . , m n )).
Remark 8: After converting the ciphertexts, we could com-
6 Suppose that m encryptors participate in and each encryptor sends pute them under SHE rather than PKE. Therefore, better use is
k-bit data to the server. Then our approach is more advantageous when made of the hybrid scheme when evaluating fixed multivariate
3TB < (2m)GB and 3k-bit < (2GB + k-bit). polynomials.
VI. G ENERIC C ONVERSION OF SHE F ROM R EFERENCES

P RIVATE -K EY TO P UBLIC -K EY [1] R. Barbulescu, P. Gaudry, A. Joux, and E. Thomé. (2013). “A quasi-
Rothblum [20] showed the way how to transform any polynomial algorithm for discrete logarithm in finite fields of small
characteristic.” [Online]. Available: http://eprint.iacr.org/2013/400
additively homomorphic private-key encryption scheme into [2] J. H. Cheon et al., “Batch fully homomorphic encryption over the
a public-key homomorphic encryption scheme when the mes- integers,” in Advances in Cryptology (Lecture Notes in Computer
sage is Z2 . To apply this method, the private-key SHE needs to Science), vol. 7881, T. Johansson and P. Nguyen, Eds. Berlin, Germany:
Springer-Verlag, 2013, pp. 315–335.
be compact which means that the length of a homomorphically [3] K.-M. Chung, Y. Kalai, and S. Vadhan, “Improved delegation of compu-
generated encryption is independent of the number of cipher- tation using fully homomorphic encryption,” in Advances in Cryptology
texts from which it was created. An additive homomorphic (Lecture Notes in Computer Science), vol. 6223, T. Rabin, Ed. Berlin,
Germany: Springer-Verlag, 2010, pp. 483–501.
encryption is converted from private-key to public key by [4] J.-S. Coron, T. Lepoint, and M. Tibouchi, “Scale-invariant fully homo-
adding a number of encryptions of zero and one to the public morphic encryption over the integers,” in Public-Key Cryptography
key. (Lecture Notes in Computer Science), H. Krawczyk, Ed. Berlin,
Germany: Springer-Verlag, 2014, pp. 311–328.
We can consider our hybrid scheme to be a generic conver-
[5] T. ElGamal, “A public key cryptosystem and a signature scheme based
sion of SHE from private-key to public key whose message on discrete logarithms,” in Advances in Cryptology (Lecture Notes in
space is Z p for some large prime p. We need only add encryp- Computer Science), vol. 196, G. R. Blakley and D. Chaum, Eds. Berlin,
tions of the secret key of a PKE under the private SHE to the Germany: Springer-Verlag, 1984, pp. 10–18.
[6] J. Fan and F. Vercauteren, “Somewhat practical fully homomorphic
public key instead of {SHE.Enci (0)}i and {SHE.Enci (1)}i . encryption,” in Proc. IACR Cryptol., 2012, p. 144.
The encryption algorithm of “public-key” SHE is made up [7] C. Gentry, “Fully homomorphic encryption using ideal lattices,”
of Hyb.Enc and Hyb.Conv. Given a hybrid scheme Hyb = in Proc. 41st Annu. ACM Symp. Theory Comput. (STOC), 2009,
pp. 169–178.
(Hyb.KG, Hyb.Enc, Hyb.Conv, Hyb.Dec, Hyb.Eval) of
[8] C. Gentry and S. Halevi, “Fully homomorphic encryption without
PKE and a private key SHE scheme PrivSHE, we could squashing using depth-3 arithmetic circuits,” in Proc. IEEE 52nd Annu.
construct a public key SHE PubSHE as follows: Symp. Found. Comput. Sci. (FOCS), Oct. 2011, pp. 107–109.
PubSHE.KG(λ): Run PKE.KG to obtain pk PKE and [9] C. Gentry, S. Halevi, and N. P. Smart, “Homomorphic evaluation
of the AES circuit,” in Advances in Cryptology (Lecture Notes in
sk PKE . Output a public key pk PubSHE = ( pk Hyb ) and Computer Science), vol. 7417, R. Safavi-Naini and R. Canetti, Eds.
a secret key sk PubSHE = (sk Hyb ). Berlin, Germany: Springer-Verlag, 2012, pp. 850–867.
PubSHE.Enc( pk PubSHE , m): For a plaintext m ∈ Z p , [10] S. Goldwasser and S. Micali, “Probabilistic encryption,” J. Comput. Syst.
Sci., vol. 28, no. 2, pp. 270–299, 1984.
encrypt m under Hyb.Enc and then output a cipher- [11] A. Joux, “A new index calculus algorithm with complexity
text C ← Hyb.Conv( pk PubSHE , c) where c ← L(1/4 + o(1)) in small characteristic,” in Selected Areas in Cryptog-
Hyb.Enc(m). raphy (Lecture Notes in Computer Science). New York, NY, USA:
Springer, 2013, pp. 355–379.
PubSHE.Dec(sk PubSHE , C): For a ciphertext C, output
[12] M. Joye and B. Libert, “Efficient cryptosystems from 2k -th power
a message m ← Hyb.Dec(sk PubSHE , C). residue symbols,” in Advances in Cryptology. Berlin, Germany:
The semantic security of this conversion follows that of the Springer-Verlag, 2013.
hybrid scheme. [13] J. Kim, M. S. Lee, A. Yun, and J. H. Cheon, “CRT-based fully
homomorphic encryption over the integers,” in Proc. IACR Cryptol.,
2013, paper 2013/057.
VII. C ONCLUSION [14] A. J. Menezes and S. A. Vanstone, “Elliptic curve cryptosystems and
their implementation,” J. Cryptol., vol. 6, no. 4, pp. 209–224, 1993.
We proposed a hybrid scheme that combines public [15] D. Naccache and J. Stern, “A new public key cryptosystem based on
key encryption and somewhat homomorphic encryption. higher residues,” in Proc. 5th ACM Conf. Comput. Commun. Security,
1998, pp. 59–66.
The proposed scheme is suitable for cloud computing [16] M. Naehrig, K. Lauter, and V. Vaikuntanathan, “Can homomorphic
environments since it has small bandwidth, low storage encryption be practical?” in Proc. 3rd ACM Cloud Comput. Security
requirement, and supports efficient computing on encrypted Workshop (CCSW), 2011, pp. 113–124.
[17] T. Okamoto and S. Uchiyama, “A new public-key cryptosystem as secure
data. as factoring,” in Advances in Cryptology (Lecture Notes in Computer
Our solution provides a trade-off between the size of the Science), vol. 1403, K. Nyberg, Ed. Berlin, Germany: Springer-Verlag,
transmitted ciphertexts and the conversion costs. While the 1998, pp. 308–318.
ciphertext expansion of PKE is larger than that of AES, it can [18] P. Paillier, “Public-key cryptosystems based on composite degree resid-
uosity classes,” in Advances in Cryptology (Lecture Notes in Computer
be homomorphically evaluated with a SHE of much smaller Science), vol. 1592, J. Stern, Ed. Berlin, Germany: Springer-Verlag,
multiplicative depth. 1999, pp. 223–238.
The parameters of our hybrid scheme are very large when [19] R. L. Rivest, L. Adleman, and M. L. Dertouzos, “On data banks
and privacy homomorphisms,” Found. Secure Comput., vol. 4, no. 11,
the message space of the underlying FHE is Z N . For an pp. 169–180, 1978.
efficient implementation, we need a method to evaluate mod N [20] R. Rothblum, “Homomorphic encryption: From private-key to public-
arithmetic using an FHE whose message space is Z M for key,” in Theory of Cryptography (Lecture Notes in Computer Sci-
ence), vol. 6597, Y. Ishai, Ed. Berlin, Germany: Springer-Verlag, 2011,
small M > 2. pp. 219–234.
[21] T. Sander, A. Young, and M. Yung, “Non-interactive cryptocomputing
for NC1 ,” in Proc. 40th Annu. Symp. Found. Comput. Sci. (FOCS),
ACKNOWLEDGEMENT New York, NY, USA, Oct. 1999, pp. 554–567.
The authors would like to thank Hyung Tae Lee and [22] M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully
homomorphic encryption over the integers,” in Advances in Cryptology
the anonymous reviewers for their valuable and helpful (Lecture Notes in Computer Science), vol. 6110, H. Gilbert, Ed. Berlin,
comments. Germany: Springer-Verlag, 2010, pp. 24–43.
Jung Hee Cheon is currently a Professor Jinsu Kim is currently pursuing the Ph.D. degree
with the Department of Mathematical Sciences, with the Department of Mathematical Sciences,
Seoul National University, Seoul, Korea, and the Seoul National University (SNU), Seoul, Korea.
Director of the Cryptographic Hard Problems He received the B.S. degree in mathematical edu-
Research Initiatives. He received the B.S. and cation from SNU, in 2009. His research interests
Ph.D. degrees in mathematics from the Korea include computational number theory, cryptography,
Advanced Institute of Science and Technology, and information security.
Daejeon, in 1991 and 1997, respectively. After
working as a Senior Researcher with the Elec-
tronics and Telecommunications Research Institute,
Daejeon, and a Visiting Scientist with Brown Uni-
versity, Providence, RI, USA, he was an Assistant Professor with Information
and Communications University, Daejeon, for two years. His research interests
include computational number theory, cryptography, and information security.
He was the Cochair of ICISC, ANTS, and Asiacrypt, and served as a Program
Committee Member of many IACR conferences. He was a recipient of the
best paper award at Asiacrypt in 2008.

A Hybrid Scheme of Public-Key Encryption and Somewhat Homomorphic Encryption

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Hybrid Scheme of Public-Key Encryption and Somewhat Homomorphic Encryption

Uploaded by

Copyright:

Available Formats

1052 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO.

A Hybrid Scheme of Public-Key Encryption and

T HE concept of computation on encrypted data with-

m = C RT( p1 ,..., pk ) (m 1 , . . . , m k ). C = f Dec (SHE.Enc(sk PKE ), SHE.Enc(c))

B. Additive Homomorphic Encryptions 2) To evaluate the Chinese remaindering algorithm,

of order 4q2 in Z× = (g − i=1 ri , m̂ i y i=1 ri ,σ i=1 m̌ i

Thus, we obtain Thus the advantage of the attacker in Game0 is

≤ |Pr[S0 ] − Pr[S1 ]| + |Pr[S1 ] − Pr[S2 ]| i i

VI. G ENERIC C ONVERSION OF SHE F ROM R EFERENCES

You might also like