See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/344627614

Fast Decryption Algorithm for Paillier Homomorphic Cryptosystem

Conference Paper · October 2020

DOI: 10.1109/ICPICS50287.2020.9202325

CITATIONS READS

3 923

2 authors, including:

Taiwo Ogunseyi
Yibin University
7 PUBLICATIONS   14 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Taiwo Ogunseyi on 13 October 2020.

The user has requested enhancement of the downloaded file.

2020 IEEE International Conference on Power, Intelligent Computing and Systems (ICPICS)

Fast Decryption Algorithm for Paillier

Homomorphic Cryptosystem

Taiwo Blessing Ogunseyi Tang Bo

College of Information and Communication Engineering College of Information and Communication Engineering
Communication University of China, Communication University of China,
Beijing, China Beijing, China
email: ogunseyitaiwo@outlook.com email: tang11bo@126.com

Abstract—With the shift in storage paradigm, there is an quest for the privacy of data and information has been a
increasing need for privacy of dataset and also for an encryption pivotal challenge that has generated a lot of research recently.
scheme that permits computation on encrypted data. Paillier Several encryption schemes have been proposed to ensure the
cryptosystem is a good example of such a homomorphic privacy of data and personal information. However, while
encryption scheme. To improve the efficiency of the Paillier these schemes are able to ensure the confidentiality and
homomorphic encryption scheme in terms of its decryption integrity of data, none of them is able to support computation
speed and overall computational cost, we propose an improved on encrypted data [5,6]. Homomorphic encryption is a special
decryption process. Specifically, the inclusion of a variable k to type of encryption that addresses the above-mentioned issue.
reduce the modular multiplicative arithmetic. The variable k is
combined with the L function and CRT recombination method, Homomorphic encryption as a well-known robust and
to arrive at a fast and improved decryption process, showing the powerful scheme [7-10] has the ability to encrypt, as well as
mathematical correctness of the decryption algorithm. compute on encrypted data without decrypting the data.
Experimental results validate that our scheme is significantly Homomorphic encryption is basically of two types; the fully
efficient in its decryption speed. homomorphic encryption and the partial homomorphic
encryption, and in-between these, there is somewhat
Keywords—Decryption, Algorithm, Public-key Cryptosystem, homomorphic encryption [11-13]. The partial homomorphic
Homomorphic Encryption, Paillier Cryptosystem encryption scheme supports only one operation on the
ciphertext. This could either be an addition or multiplication
I. INTRODUCTION of ciphertext as depicted in table I. As a result of its efficiency
The digitalization of data on a large scale [1], caused by and applicability, partial homomorphic encryption has a wide
the major breakthrough in computing and information range of applications such as private information retrieval,
technology called for the collection, storage, and analyses of secure voting, collision-resistant hash [14-18] and it is also
large amounts of data [2-4]. This technological advancement being used as primitives for other privacy-enhancing
has also instigated the development of smaller and hand-held technologies like secret sharing, secure multi-party
devices like smartphones, fitness trackers, smartwatches, computation, etc.
with limited processing resources. On the other hand, the
TABLE I. A SUMMARY OF SOME PARTIAL HOMOMORPHIC ENCRYPTION SCHEMES
S/No Partial Cryptosystems Proposed Year Homomorphic Mathematical Message Decryption complexity
Operation difficulty expansion
1 Unpadded RSA 1978 Mult. factoring 1 𝑂(𝑙𝑜𝑔⁡(𝑛)3 )
2 Goldwasser-Micali 1982 Addition Quadratic n 𝑂(𝑙𝑛3 )
residuosity problem
3 ElGamal 1985 Mult. discrete logarithm 2 𝑂(𝑛)3
4 Benaloh 1994 Addition Higher degree 𝑛 𝛰(√𝑛)
residuosity 𝑟
5 Naccache-Stern 1998 Addition Higher degree ≥4 𝛰(𝑙(𝑛)5 𝑙𝑜𝑔⁡(𝑙(𝑛))
residuosity
6 Okamoto-Uchiyama 1998 Addition p-Sylow subgroup 3 𝑂(𝑙𝑜𝑔3 𝑛)
7 Paillier 1999 Addition composite 2 𝛰(|𝑛|2+𝑒 )
residuosity problem
8 Damgard-Jurik 2001 Addition Composite 𝑠+1 𝑂(𝑙𝑛)
residuosity 𝑠
9 Galbraith 2002 Addition Sub group 2 𝑂(𝑛3 )
decision
10 Kawachi 2007 Addition lattice problem 2 𝑂(𝑙𝑜𝑔 𝑛)

The Paillier homomorphic encryption is a good example
of an additive homomorphic cryptosystem [7, 9, 12-14]. The
encryption and decryption process of any homomorphic
encryption scheme like Paillier scheme on hand-held devices
are computationally expensive for any device with limited
processing resources. Hence there is a need for an improved
and fast encryption and decryption scheme that supports
hand-held devices with limited processing resources. In this
study, we propose and implement an improved and fast
decryption scheme for Paillier homomorphic encryption by

978-1-7281-9874-3/20/$31.00 ©2020 IEEE 803 July 28-30, 2020•Shenyang, China

Authorized licensed use limited to: Communication University of China. Downloaded on October 13,2020 at 08:34:51 UTC from IEEE Xplore. Restrictions apply.
utilizing a new variable k and the CRT.
The rest of this paper is organized as follows. Section 2
gives a brief description of the Paillier homomorphic
encryption scheme and the Chinese Remainder Theorem
(CRT) based Paillier cryptosystem, while section 3 contains
the proposed algorithm’s description and its security analysis.
Section 4 presents the experimental result for the proposed
scheme. Finally, the paper is concluded in section 5.
II. PAILLIER HOMOMORPHIC ENCRYPTION
The Paillier scheme is a public key cryptosystem and it is
probabilistic. It is one of the most efficient encryption
schemes that is additively homomorphic [17-19]. Paillier
cryptosystem is widely used for implementing privacy-
preserving secure computation [20], secure electronic voting
[21], electronic cash transactions, etc. as a result of its non-
deterministic nature. Mathematically, this scheme relies on
the decisional composite residuosity assumption [22]. The
scheme has three algorithms described as follows:
A. KeyGen(1k)
Generate 𝑛⁡ = ⁡𝑝𝑞 and⁡𝜆 = 𝑙𝑐𝑚(𝑝 − 1)(𝑞 − 1).
Select ⁡𝑔 ∈ ⁡ 𝑍𝑛∗ 2 , where 𝑔 is set of integers co-prime
to⁡𝑛2 ,
𝑔𝑐𝑑(𝐿(𝑔λ ⁡𝑚𝑜𝑑⁡𝑛2 ), 𝑛) = 1
Calculate
λ 2 −1
𝜇 = (𝐿(𝑔 ⁡𝑚𝑜𝑑⁡𝑛 )) 𝑚𝑜𝑑 𝑛
𝑥 −1
and⁡𝐿(𝑥) = ⁡⁡⁡⁡⁡⁡
𝑛
∀⁡𝑥⁡ ∈ {⁡𝑥 < ⁡ 𝑛2 ⁡|⁡𝑥 = 1⁡𝑚𝑜𝑑⁡𝑛}
∴ (𝑛, 𝑔) ← 𝑃𝐾, (𝜆, 𝜇) ← 𝑆𝐾
A simple variant of the key generation steps would be
𝑔 = 𝑛 + 1, 𝜆 = ⁡𝜙(𝑛)
𝜇 = ⁡𝜙(𝑛)−1 ⁡𝑚𝑜𝑑⁡𝑛 , where 𝜙(𝑛) = (𝑝 − 1)(𝑞 − 1) ,
provided 𝑝, 𝑞 are of the same length.
B. Enc(pk, m), 𝑚⁡ ∈ ⁡ 𝑍𝑛
For⁡𝑚⁡ ∈ ⁡ 𝑍𝑛 , select a random integer⁡𝑟⁡ ∈ ⁡ 𝑍𝑛∗ .
The resultant ciphertext
𝑐 = 𝑔𝑚 . 𝑟 𝑛 𝑚𝑜𝑑 𝑛2
C. Dec(sk, c)
Input c⁡= 𝑔𝑚 . 𝑟 𝑛 𝑚𝑜𝑑 𝑛2 , 𝑐⁡ ∈ ⁡ 𝑍𝑛∗ 2
Compute
𝑚 = 𝐿(𝑐 𝜆 𝑚𝑜𝑑 𝑛2 ). 𝜇 𝑚𝑜𝑑 𝑛
Output m
D. CRT-Based Paillier Cryptosystem
The CRT is used in several encryption schemes to speed
up either the encryption or decryption process. However, the
focus is on improving the decryption process in this study
because of the modular arithmetic involved, which leads to
decryption overload in the decryption process of the Paillier
Authorized licensed use limited to: Communication University of China. Downloaded on October 13,2020 at 08:34:51 UTC from IEEE Xplore. Restrictions apply.
scheme [23]. To fully understand the CRT and its application
in Paillier encryption, readers are referred to [24] to read
about the CRT, Euler’s and Fermat’s little theorems.
The CRT-based Paillier scheme has three algorithms,
namely; key generation, encryption, and decryption. The key
generation and encryption algorithms have been described in
section two above. In this section, the decryption process is
explicated since that is the process we intend to improve.
Applying the L function which is defined as 𝐿 =
{𝑥 < ⁡ 𝑛2 ⁡|⁡𝑥 = 1⁡𝑚𝑜𝑑⁡𝑛} and for the two moduli 𝑝 and⁡𝑞,
which are the product of⁡𝑛, we have
𝐿𝑝 = {𝑥 < ⁡ 𝑝2 ⁡|⁡𝑥 = 1⁡𝑚𝑜𝑑⁡𝑝} and⁡𝐿𝑞 = {𝑥 < ⁡ 𝑞2 ⁡|⁡𝑥 =
1⁡𝑚𝑜𝑑⁡𝑞}
Thus,
𝑥−1 𝑥−1
𝐿𝑝 (𝑥) = ⁡ and⁡𝐿𝑞 (𝑥) = ⁡
𝑝 𝑞
Recall that from (2) we have,
𝜇 = (𝐿(𝑔λ ⁡𝑚𝑜𝑑⁡𝑛2 ))−1 𝑚𝑜𝑑 𝑛
Let 𝜇 = ℎ𝑝 + ℎ𝑞
(1)
From (2) we have
ℎ𝑝 = [𝐿𝑝 (𝑔𝑝−1 𝑚𝑜𝑑 𝑝2 )]−1 𝑚𝑜𝑑 𝑝 and ℎ𝑞 =
(2) [𝐿𝑞 (𝑔𝑞−1 𝑚𝑜𝑑 𝑞2 )]−1 𝑚𝑜𝑑 𝑞
(3) which are pre-computed.
Also, from (5) we have,
𝑚𝑝 = 𝐿𝑝 [(𝑐 𝑝−1 𝑚𝑜𝑑 𝑝2 )ℎ𝑝 𝑚𝑜𝑑 𝑝] and
𝑚𝑞 = 𝐿𝑞 [(𝑐 𝑞−1 𝑚𝑜𝑑 𝑞2 )ℎ𝑞 𝑚𝑜𝑑 𝑞]
Applying the CRT
𝑚 = CRT(𝑚𝑝 , 𝑚𝑞 ) 𝑚𝑜𝑑 𝑝𝑞 (6)
III. THE PROPOSED SCHEME
The proposed scheme is described in detail in this section.
We present an improved decryption scheme that uses the
(4) variable k and the L function to reduce the decryption
overload, which is built on the PAHE and CRT-based
schemes. The proposed scheme comprises three algorithms;
key generation, encryption, and decryption, which are
described below. The key generation and encryption
algorithms remain the same, while the decryption algorithm
is modified.
(5) The key generation is based on the simpler key variant
proposed in [22] while the encryption algorithms remain the
same with the basic Paillier’s encryption scheme. The
decryption is based on the combination of the decryption
process for the basic Paillier scheme and the CRT-based
Paillier scheme [22], with the introduction of a new variable
k. The security analysis of the scheme and the decryption
correctness of the scheme are also shown below as well.
Parameter setting:
804
𝑔=𝑛+1 , 𝜆 = ⁡𝜙(𝑛) , 𝜇 = ⁡𝜙(𝑛)−1 ⁡𝑚𝑜𝑑⁡𝑛 , where Procedure for nth root
𝜙(𝑛) = (𝑝 − 1)(𝑞 − 1) and the length of 𝑝 and 𝑞 are Input: n, u
equal. Private Input for P: 𝑣 ∈ 𝑍𝑛∗ , such that 𝑢⁡ = ⁡E(𝑚, 𝑣).
Key Generation: 1) P chooses r at random in 𝑍𝑛∗ and sends 𝑎⁡ = ⁡E(𝑚, 𝑟) to
Generate large random prime integers 𝑝 and 𝑞 where V
𝑝, 𝑞 ∈ 2𝑛−1 2) V chooses e, a random t bit number, and sends e to P.
Set 𝑛 = 𝑝 ∗ 𝑞, 𝜙(𝑛) = (𝑝 − 1)(𝑞 − 1) and generate 𝑔 = 3) P sends 𝑧⁡ = 𝑟𝑣 𝑒 ⁡mod n to V.
𝑛+1 V checks that 𝑢, 𝑎, 𝑧⁡ are prime to n and that E(𝑚, 𝑧) ⁡ =
With 𝐿(𝑦) = ⁡
𝑦−1 ⁡𝑎𝑢𝑒 ⁡mod⁡𝑛2 and accepts if and only if this is the case.
𝑛
Set (𝑝, 𝑞, 𝑛) as the private key C. Complexity Analysis of the three schemes
And (𝑛) as the public key The computational complexity of each of the schemes
Encryption: (PAHE, CRT-based Paillier, and the proposed scheme) are
Given the public key (𝑛) and a message 𝑚 ∈ {0,1}|𝑛|−1 represented in terms of the big O notation as depicted in table
Choose 𝑟 ∈ ⁡ 𝑍𝑛∗ and set the 𝑔𝑐𝑑(𝑟, 𝑛) = 1 II.
Compute 𝑥 = ⁡ 𝑟 𝑛 𝑚𝑜𝑑⁡𝑛2
Output 𝑐 = ⁡ 𝑔𝑚 . 𝑟 𝑛 ⁡𝑚𝑜𝑑⁡𝑛2 TABLE II COMPUTATIONAL COMPLEXITY OF THE SCHEMES
Decryption:
Schemes Computational Complexity
Given the private key (𝑝, 𝑞, 𝑛) and a ciphertext c
Assign variable 𝑘 = 𝐿(𝑦). 𝜙(𝑛)−1 𝑚𝑜𝑑⁡𝑛2 Basic Paillier (PPHE) 𝒪(|𝑛|3 )
Compute 𝑘𝑝 = ⁡ 𝐿𝑝 [(𝑝 − 1)−1 ]𝑚𝑜𝑑⁡𝑝2 and 𝑘𝑞 = ⁡ 𝐿𝑞 [(𝑞 − CRT-PHES 𝒪(|𝑛|2 |𝛼|)
1)−1 ]𝑚𝑜𝑑⁡𝑞2
NC-PHES 𝒪(log 𝑛)
Compute 𝑚 = ⁡𝐿(𝑐 𝜆 𝑚𝑜𝑑⁡𝑛2 ). 𝑘⁡𝑚𝑜𝑑⁡𝑛
Compute⁡𝑚𝑝 = 𝐿𝑝 [(𝑐 (𝑝−1) 𝑚𝑜𝑑 𝑝2 )]𝑘𝑝 𝑚𝑜𝑑 𝑝 IV. EXPERIMENT
and 𝑚𝑞 = 𝐿𝑞 [(𝑐 (𝑞−1) 𝑚𝑜𝑑 𝑞2 )]𝑘𝑞 𝑚𝑜𝑑 𝑞 All experiments were done on an Intel Core i7-2600
Substitute the value of 𝑘𝑝 and 𝑘𝑞 MacBook Pro, running at 2.9GHz with 8GB RAM, and all
𝑚 = CRT(𝑚𝑝 , 𝑚𝑞 ) 𝑚𝑜𝑑 𝑝𝑞 the programs were written in python 3. We tested the whole
Output 𝑚 scheme with a file size of 1.2MB, with various key lengths.
Each experiment was carried out for 30 consecutive times,
A. Security Analysis and the average result was recorded. We compared the
We prove that the security of this scheme is guaranteed proposed scheme with existing solutions by implementing
by the mathematical hardness of the decisional composite three different Paillier schemes: the basic Paillier scheme
residuosity assumption. referred to as PPHE, the traditional CRT-based Paillier
scheme (CRT-PHES) and the proposed scheme. The result
Theorem 1: The proposed scheme is secure if the shows that the proposed scheme performs much better in
decisional composite residuosity assumption holds. terms of the decryption time with the result presented in
Proof: Let X be any probabilistic polynomial-time figure 1. The proposed scheme reduces the decryption
algorithm, and assume X gets n, p as input, where n is a workload by a factor of 2, representing the decryption
composite number and has k bits and p is a random n-th complexity by 𝑂(𝑙𝑜𝑔⁡𝑛) as there is a linear logarithmic
power in ⁡𝑍𝑛∗ 2 . X output a bit b. Let 𝑝𝑟 (𝑋, 𝑘) be the relation between the input size 𝑛 and the decryption’s time.
probability that b = 1 if p is random in 𝑍𝑛∗ 2 and 𝑝𝑟 ′ (𝑋, 𝑘)
be the probability that b = 1 if p is a random n-th power.
Then |𝑝𝑟 (𝑋, 𝑘) − ⁡ 𝑝𝑟 ′ (𝑋, 𝑘)| ≥ 1/𝑓(𝑘) for any
polynomial time. 𝐷𝐶𝑅[𝑛]𝑖𝑠⁡𝑟𝑎𝑛𝑑𝑜𝑚⁡𝑠𝑒𝑙𝑓 −
𝑟𝑒𝑑𝑢𝑐𝑖𝑏𝑙𝑒⁡𝑜𝑣𝑒𝑟⁡𝑐⁡ ∈ ⁡ 𝑍𝑛∗ 2 ⁡
B. Decryption Correctness
Suppose Alice with the public key 𝑝𝑘 encrypts message
m and sends the ciphertext c to Bob. Bob with the secret key
𝑆𝑘 decrypts the ciphertext c and sends both the ciphertext c
and the message m to Eve. How does Eve confirm that the
Fig 1. Decryption time for three schemes
message m is from the ciphertext c, and the decryption
algorithm is correct?
The key generation time for various key lengths were
Using a zero-knowledge proof to prove that Bob decrypt tested for the proposed scheme as shown in figure 2, the result
the ciphertext correctly shows that there is an almost linear increase in the key
generation time as the key length increases.
Suppose a prover P (Bob) presents a verifier V (Eve) with
a ciphertext c and claims that it encrypts plaintext m, or more
precisely that he knows r such that c⁡ = ⁡E(𝑚, 𝑟). A simple
way to convince V would be to reveal the random integer r,
such that V can verify that ⁡c⁡ = ⁡E(𝑚, 𝑟) ⁡ = ⁡ (1⁡ +
n)𝑚 𝑟 𝑛 mod⁡𝑛2 . However, we need a solution where no extra
useful information is revealed [25].

805

Authorized licensed use limited to: Communication University of China. Downloaded on October 13,2020 at 08:34:51 UTC from IEEE Xplore. Restrictions apply.

Fig 2. Key generation time versus key length for the proposed scheme
Fig 3. Encryption time versus key length for NC-PHE
The encryption time for various key lengths were also
measured and compared. With a constant file size, we vary
the key length as presented in figure 3. The result indicated
that the encryption time also grows linearly with the key
length, which in some other encryption scheme grows
exponentially.
V.CONCLUSION
In this paper, we proposed improved and fast decryption
to the generic Paillier homomorphic encryption scheme by
introducing a variable k, which replaces the pre-computed hp
and hq functions and helps reduce the modular multiplicative
inverse that is associated with the decryption process in
Paillier scheme and demonstrated the mathematical
correctness of the decryption algorithm. To compare our
scheme to other existing solutions, we implemented three
different Paillier schemes namely; the basic Paillier, the
traditional CRT-based Paillier, and the proposed scheme.
Empirical results showed that our scheme is more efficient in
terms of its decryption speed, which ultimately reduces its
computational cost. We believe that the reduced workload
and computational cost in the decryption speed would be of
great benefit for devices with limited computing power and
even organizations.
REFERENCES
[1] M. Marjani, F. Nasaruddin, A. Gani, A. Karim, I. Hashem, A. Siddiqa,
and I. Yaqoob, “Big IoT Data Analytics: Architecture, Opportunities,
and Open Research Challenges,” IEEE Access, vol. 5, 2017, pp. 5247–
5261.
[2] R. Mendes and J. P. Vilela, “Privacy-Preserving Data Mining: Methods,
Metrics, and Applications,” IEEE Access, vol. 5, 2017, pp. 10562–
10582.
[3] L. T. Phong, Y. Aono, T. Hayashi, L. Wang, and S. Moriai, “Privacy-
Preserving Deep Learning via Additively Homomorphic Encryption,”
IEEE Trans. Inf. Forensics Secur., vol. 13, no. 5, 2018, pp. 1333–1345.
[4] X. Yang, X. Yi, S. Nepal, A. Kelarev, and F. Han, “A Secure Verifiable
806
Authorized licensed use limited to: Communication University of China. Downloaded on October 13,2020 at 08:34:51 UTC from IEEE Xplore. Restrictions apply.
View publication stats
Ranked Choice Online Voting System Based on Homomorphic
Encryption,” IEEE Access, vol. 6, 2018, pp. 20506–20519.
[5] A. A. Badawi, Y. Polyakov, K. M. Aung, B. Veeravalli and K. Rohloff,
“Implementation and Performance Evaluation of RNS Variants of the
BFV Homomorphic Encryption Scheme,” Cryptology ePrint Archive,
2018, https://eprint.iacr.org/2018/589
[6] J. Kim, S. Kim, and J. Seo, “A new scale-invariant homomorphic
encryption scheme,” Inform Sciences, vol. 422, 2018, pp. 177–187
[7] M. Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully
homomorphic encryption over the integers,” Adv. Cryptology–
EUROCRYPT ’10, Lecture Notes in Computer Science, 2010, pp. 24–
43
[8] C. Gentry, A. Sahai, and B. Waters, "Homomorphic encryption from
learning with errors: Conceptually-simpler, asymptotically-faster,
attribute-based," In R. Canetti and J. A. Garay, editors, Advances in
Cryptology - CRYPTO 2013, Part I, 2013, pages 75-92. Springer
[9] I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène, “Faster
Packed Homomorphic Operations and Efficient Circuit Bootstrapping
for TFHE,” In ASIACRYPT (1), volume 10624 of Lecture Notes in
Computer Science, 2017, pages 377-408
[10] Y. Doroz, E. Ozturk, and B. Sunar, “Accelerating Fully Homomorphic
Encryption in Hardware,” IEEE Trans. Comput, vol. 64, no. 6, 2015,
pp. 1509–1521.
[11] E. A. Silva and M. Correia, “Leveraging a homomorphic encryption
library to implement a coordination service,” Proc. - 2016 IEEE 15th
Int. Symp. Netw. Comput. Appl. NCA 2016, 2016, pp. 39–42.
[12] V. Migliore, G. Bonnoron, and C. Fontaine, “Practical Parameters for
Somewhat Homomorphic Encryption (SHE) Schemes on Binary
Circuits,” IEEE Trans. Comput., vol. 67, no. 11, 2018, pp. 1550–1560.
[13] J. L. H. Crawford, C. Gentry, S. Halevi, D. Platt, and V. Shoup, “Doing
Real Work with FHE: The Case of Logistic Regression,” IACR Cryptol.
ePrint Arch., 2018
[14] W. Ding, Z. Yan, and R. Deng, “Privacy-Preserving Data Processing
with Flexible Access Control,” IEEE Trans. Dependable Secur.
Comput., vol. 5971, no. 99, 2017, pp. 1–1.
[15] M. Nassar, A. Erradi, and Q. M. Malluhi, “Paillier’s encryption:
Implementation and cloud applications,” 2015 1st Int. Conf. Appl. Res.
Comput. Sci. Eng. ICAR 2015, no. March 2018.
[16] Y. Yang, “Evaluation of Somewhat Homomorphic Encryption A
Schemes,” 2013.
[17] J. Sen, “Homomorphic Encryption — Theory and Application,”
Theory Pract. Cryptogr. Netw. Secur. Protoc. Technol., no. July 2013,
2013.
[18] A. Acar, H. Aksu, A. Selcuk Uluagac and M. Conti, "A Survey on
Homomorphic Encryption Schemes: Theory and Implementation,"
ACM Compt. Surv, vol. 51, 2018, No. 4, Article 79.
[19] N. G. Tsoutsos and M. Maniatakos, “The HEROIC framework:
Encrypted computation without shared keys,” IEEE Trans. Comput.
Des. Integr. Circuits Syst., vol. 34, no. 6, 2015, pp. 875–888.
[20] X. Wu, B. Chen, and J. Weng, “Reversible data hiding for encrypted
signals by homomorphic encryption and signal energy transfer,” J. Vis.
Commun. Image Represent., vol. 41, 2016, pp. 58–64.
[21] R. Harerimana, S. Y. Tan, and W. C. Yau, “A Java implementation of
the pallier homomorphic encryption scheme,” 2017 5th Int. Conf. Inf.
Commun. Technol. ICoIC7 2017, vol. 0, 2017, no. c.
[22] P. Paillier, “Public-Key Cryptosystems Based on Composite Degree
Residuosity Classes,” Eurocrypt, vol. 1592, 1999, pp. 223–238.
[23] I. San, N. At, I. Yakut, H. Polat, "Efficient paillier cryptoprocessor for
privacy-preserving data mining", Security and Communication
Networks, vol. 9, no. 11, pp. 1535-1546, 2016.
[24] H. Xiao, Y. Huang, Y. Ye, and G. Xiao, “Robustness in Chinese
Remainder Theorem,” arXiv, 2007, pp. 1–12.
[25] I. Damgård, M. Jurik, and J.B. Nielsen, "A generalization of Paillier’s
public-key system with applications to electronic voting," Int. J. Inf.
Secur. 9, 371–385, 2010.