See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/281101830

Implementation of the fully homomorphic encryption scheme over integers

with shorter keys

Conference Paper · July 2015

DOI: 10.1109/NTMS.2015.7266495

CITATIONS READS

8 2,260

3 authors:

Luan Cardoso Santos Guilherme Bilar

University of Campinas Universidade Federal de São Carlos
7 PUBLICATIONS 11 CITATIONS 6 PUBLICATIONS 11 CITATIONS

SEE PROFILE SEE PROFILE

Fábio Dacêncio Pereira

Centro Universitário Eurípides de Marília
25 PUBLICATIONS 46 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Fast software implementation of AEAD View project

All content following this page was uploaded by Luan Cardoso Santos on 17 November 2017.

The user has requested enhancement of the downloaded file.

 Implementation of the fully homomorphic encryption
scheme over integers with shorter keys
Luan Cardoso dos Santos Guilherme Rodrigues Bilar
Institute of Computation Department of Computer Science
Universidade Estadual de Campinas Universidade Federal de São Carlos
Campinas, Brazil São Carlos, Brazil
luan.cardoso[at]icloud.com guilherme.bilar[at]dc.ufscar.br

Fábio Dacêncio Pereira

COMPSI Lab
Centro Universitário Eurípides de Marilia
Marília, Brazil
prof.fabiopereira[at]gmail.com

Abstract— New researches in the field of homomorphic
encryption schemes have made it possible to implement a variety
of schemes using different techniques and programming
languages. In this paper we describe the implementation of a
DGHV scheme variant using Python and the GMPY2 library.
This scheme was first proposed in 2010, by van Dijk et al, and
later modified into two variants by Coron in 2011 and 2012,
which reduced the prohibitive size of the public keys, at the cost
of computational power. Besides that, this paper also present a
comparison of these implementations with the previous
implementation of Coron’s first variant.
Keywords— cryptography; homomorphism; post-quantum;
python
I. INTRODUCTION
Modern cryptography is build up on hard-to-solve
problems, such as the factorization of integers and elliptic
curves. With the rise of the quantum computer theory, and
specially the shor algorithm, the current “hard problems” may
not be adequate for the creation of cryptosystem in the future.
In this work, we show that, for research purposes, a modest
domestic computer can be used to implement and execute FHE
schemes, which are deemed too complex and slow for real-
world applications. The objective is also to produce public
available code that can be used and improved by other
researchers in their works.
The current principal homomorphic cryptosystems are
shown in figure 1. On the branch of “Learning with errors”,
important works are the RLWE scheme proposed by
Brakersky[6], and the BGV scheme[7]. On the branch of
lattices, the principal systems were the ones proposed by
Gentry and Halevi[1]. Lastly, using as the underlying bases
integer arithmetic, we have the DGHV scheme[3], from which
Coron proposed two variants[2][3].
FHE
LWE Integers Lattices

With that, a relatively new area on cryptology, the post-

quantum cryptology started to get more and more importance. BVG Gentry-Halevi
RLWE (2011) DGHV (2010) Gentry (2009)
Amongst the post-quantum cryptosystem capable of resisting Scheme(2012) (2010)
attacks, even from a quantum computer, the fully
homomorphic algorithms stands. DGHV with DGHV with
smaller modulus
keys(2011) change(2012)
A fully homomorphic encryption (FHE) scheme is a
cryptosystem that allows one, using only public data, to Figure 1. The three principal base problems used to create fully homomorphic
compute a arbitrary computation on the cyphertext, and get as schemes
result the encrypted computation over the plain text. In other
words, having a computation f(), a message m and the II. MOTIVATION
encryption of said message E(m), there is a function f’() such As stated previously, the defining characteristic of a FHE
as[5]: scheme is that one can execute arbitrary processing on the
𝑓 ′ (𝐸(𝑚)) = 𝐸(𝑓(𝑚)) cyphertext, without having to decrypt said data. Such
characteristic and the fact of most FHE schemes are also
This characteristic is very desirable, as it allows secure asymmetric key schemes opens up some interesting uses. The
processing on secret data to be executed by a unsecure third canonical example of use is a voting system, where the data
part without unencrypting the data. processing is executed in a way that the votes are not
decrypted, keeping their secrecy, but allowing that the counting
can be executed by a public part.
A FHE scheme can also be used to provide an encrypted
database, where, in a hypothetical scenario, the server would
have an encrypted data base, and would be capable of
executing encrypted queries, returning the result as encrypted
data without having any information about the query and its
returned data.
On the other hand, FHE schemes are a recent research area,
and there is still much to be done before this technique can be
used in practical applications.
III. FHE OVER INTEGERS
Here we show a small description of the implemented
system, as proposed by Coron.
Gentry defines that the DGHV scheme uses as a base block
a set in public integers 𝑥𝑖 = 𝑝. 𝑞𝑖 + 𝑟𝑖 , 0 ≤ 𝑖 ≤ 𝜏, where the
integer p is secret [4].
The DGHV is have the following parameters:
 γis the bit-length of thexi ’s;
 ηis the bit-length of secret keyp;
 ρis the bit-length of the noiseri ;
 τis the number ofxi ’s contained in the public key;
 ρ′ 𝑖s a secondary noise parameter used in encryption .
Coron proposed a modification on the DGHV scheme, with
the addition of a new parameter β. This parameter allows to
save only 2β integers, manipulating x′i,j integers in the form
x′i,j = xi,0 . xj,1 mod x0 para 1 ≤ i, j ≤ β. With that, the public
key size is reduced from τ to 2√τ integers with γ bits each.
Moreover, with the objective of turning the scheme fully
homomorphic, it’s necessary to add λ3 elements y with length
κ = γ + 2 + ⌈log 2 (λ + 1)⌉. That would increase the public
key size from 𝒪̃ (λ7 ) to 𝒪̃ (λ8 ). Coron then proposed that only
the first y was stored into the public key, with the other ones
being generated with a pseudo-random number generator. That
way, the public key size is still 𝒪̃ (λ7 ) and the elements y are
recovered in execution time [2].
Now, for completeness, we describe Coron’s proposed
scheme primitives, according to the description in [2]:
A. Keygen
First, generate an odd integer of η bits, and then pick an
integer q0 ∈ [0, 2γ /p), chosen as the product of λ2 bits long
prime numbers, and let x0 = q0 ∙ p. Generate β pairs of
integers xi,0 , xi,1 in the interval 1 ≤ i ≤ β. Let xi,b = p. qi,b +
ri,b , 1 ≤ i ≤ β, 0 ≤ b ≤ 1 where ri,b are integers in (−2ρ , 2ρ )
and q i,b are random integers in [0,q0 ). Let the partial public
key pk ∗ = (x0 , x1,0 , x1,1 , … , xβ,0 , xβ,1 ).
Then generate the vectors s (0) and s (1) of length ⌈√Θ⌉,
(0) (1)
following the conditions that s1 = s1 = 1; for each
κ ∈ [0, √θ) and b = {0,1}, there is at least one set bit amongst
(b)
si ’s, k⌊√B⌋ < 𝑖 ≤ (𝑘 + 1)⌊√B⌋, with B = Θ/θ and the set
(0) (1)
S = {(i, j): si . sj = 1} has exactly θ elements.
After that, initialize a system-wide pseudorandom number
generator f with a seed se, then use f(se) to generate ui,j ∈
[0, 2𝜅+1 ) with 1 ≤ 𝑖, 𝑗 ≤ ⌈√Θ⌉, (𝑖, 𝑗) ≠ (1,1). Then, set 𝑢1,1
such as:
∑ 𝑢𝑖,𝑗 = 𝑥𝑝 𝑚𝑜𝑑2𝜅+1
(𝑖,𝑗)∈𝑆
Where 𝑥𝑝 ← ⌊2𝜅 /𝑝⌉. Then, compute the encryptions𝜎 (𝑏) of
the vectors s (b) choosing for each i ∈ [1, ⌈√Θ⌉] and b = {0,1},
random integers r′i,b ∈ (−2ρ , 2ρ ) and q′i,b ∈ [0, q0 ). Compute
(b) (b)
σ(b) as: σi = si + 2r′i,b + p. q′i,b mod x0
Let the secret key sk = (s (0) , s (1) ) and the public key
pk = (pk ∗ , se, u1,1 , σ(0) , σ(1) ).
B. Encrypt
Choose a matrix of random numbers b = (bi,j )1≤i,j≤β ∈
′ ′
[0,2α )β×β and a random integer in the interval (−2ρ , 2ρ ).
Return the cyphertext as:
c ∗ = m + 2r + 2 ∑ bij ∙ xi,0 ∙ xj,1 mod x0
1≤i,j≤β
Were m ∈ {0,1}, being it the plaintext bit being encrypted.
C. Evaluate
The evaluation function are those capable of executing a
computation on the cyphertext. In this scheme, we have two
functions, named Add( ) and Mult( ).Being the cyphertext a
single bit, these functions are analogous to the logical
operations XOR and NAND, executed on those bits. They are
defined as following:
Add(pk, c1∗ , c2∗ ): Returns c1∗ + c2∗ mod x0
Mult(pk, c1∗ , c2∗ ): Returns c1∗ ∙ c2∗ mod x0
D. Expand
This function expands the cyphertext, and receives as
arguments the cyphertext c* and computes the associated
matrix z. This function is separated from the Decrypt and
Encrypt functions since it can be computed using only public
data. First, for each i,j such as1 < 𝑖, 𝑗 < √𝛩, compute ui,j using
the pseudorandom number generator f(se). Let yi,j = ui,j /2κ ,
and then compute zi,j = [c ∗ ∙ yi,j ]2 . Keep only ⌈log 2 (θ + 1)⌉
bits of precision after the binary point. Return the expanded
cyphertext as c = (c ∗ , z)
E. Decrypt
(0) (1)
Return the plaintext m as 𝑚 ← [𝑐 ∗ − ⌊∑𝑖,𝑗 𝑠𝑖 ∙ 𝑠𝑗 ∙ 𝑧𝑖𝑗 ⌉] . †
2
†[𝑥]𝑛 Denotes the reduction of x modulo n
 F. Recrypt
V. RESULTS
To execute the recrypt procedure, necessary to refresh the
noise level on the cyphertext, apply the decryption circuit over For the tests, a laptop with a Core i5 m520@2.4GHz CPU
the expanded cyphertext z and to the secret key encryptions and 4GB of Ram memory was used. The obtained times are the
(𝑏) arithmetic average of 20 executions.
𝜎𝑖 .
Table2 shows the obtained times [11] for the algorithm
The Table 1[2]show the concrete parameters used by Coron
described by Coron.
in his work. Those parameters were chosen to mitigate certain
kinds of attacks against the cyphertext. TABLE2: EXECUTION TIMES

TABLE 1:THE CONCRETE PARAMETERS Instance KeyGen Encrypt Decrypt Expand

Toy 0.6 s 0.00236 s 0.0001 s 1.28103 s
Key size 𝝀 𝝆 𝜼 𝜸 𝜷 𝚯 𝜽 Small 10 s 0.01294 s 0.0002 s 8.08505 s
Medium 1 min 1 s * * *
Toy 42 16 1088 1,6 × 105 12 144 15 Large 11 min 21s * * *
5
*Memory overflow on the test machine
Small 52 24 1632 8,6 × 10 23 533 15
6
Medium 62 32 2176 4,2 × 10 44 1972 15
Large 72 39 2652 1,9 × 107 88 7897 15

IV. OUR IMPLEMENTATION

In our implementation, we used the Python programing
language. Our choice was based on the fact that python is a
quick and easy way to prototype a single-use software. The
generated codes also have a good readability, that will help in
the creation of future works and implementations that are more
efficient. One of the problems faced during the implementation
of this work, besides the lack of reference code, was that the int
primitive of python did not showed enough speed to deal with
the homomorphic primitives. In order to solve that, we used the
mathematical library GMPY2. This library wraps for use in Figure 3: Time comparision on the keygen primitive
python efficiently coded mathematical primitives. The most
used one was the multiple precision integer (MPZ), a numeric In the Figure 3: Time comparision on the keygen
type with no limits in its length. primitive is shown an illustrative time comparison between our
results the ones obtained by Coron. Besides the architecture
and language differences, our implementation was slightly
faster. That shows that the MPZ primitive have an execution
time compatible to that obtained by the SAGE mathematical
language used in Coron’s implementation. The same can be
said about the decrypt and encrypt primitives

Figure 2: Correlation of the primitives and their resuts

Figure 4: Time comparision on the decrypt primitive
In Figure 2, we have a small explanation on how each
primitive of the scheme correlates with each other, and the
objects each one generates.
 these random numbers. Table 3 shows a comparison between
the generated key sizes of first and the second variations
proposed by Coron.

TABLE 3: COMPARISON OF KEY SIZES

Instance 1st Variation 2nd Variation

Toy 0.95 MB 354 KB
Small 9.6 MB 1690 KB
Medium 89 MB 7.9 MB
Large 802 MB 18 MB

Figure 5: Time comparision on the encrypt primitive It is also viable to compare the execution times of our
previous python implementation of the second variation and
In the figures Figure 4 and Figure 5, the execution times for the one present here, shown in Table 4 and 5.
encrypt and decrypt, we see execution times very minor scale.
That’s one of the characteristics of a homomorphic encryption
scheme, especially regarding the decrypt primitive: It need to TABLE 4: EXECUTION TIME WITH “TOY” SECURITY
have low complexity to enable the scheme to evaluate
Primitive 1st Variation 2nd Variation
homomorphically its own decryption circuit, and generate less
KeyGen 0,6 s 0,6 s
noise on that operation than the amount removed by the
Encrypt
“refresh” of the cyphertext. Our implementation have behaved 0,002 s 0,02 s
within the expected parameters in these three primitives. On Decrypt 0,0001 s 0s
the other hand, we only have been able to execute those in the Expand 1,28103 s 0,02 s
Toy and Small testing instances, due to a memory overflown in
the machine used for tests. In Table 4, the execution times are those with the “Toy”
instance. This security parameter is considered insecure, and
has the function of being just a “test” instance, whose
execution times are useful for comparison and debugging. In
that table, we can observe similar times between both
implementations, with the exception of the expansion
primitive. In that case, the execution time of the first variation
is about 60 times longer. That fact is due to both the differences
between the variations and the overhead of the matrix in the
first implementation.
TABLE 5: EXECUTION TIME WITH “SMALL” SECURITY
Primitive 1st Variation 2nd Variation
KeyGen 10 s 3,6 s
Encrypt 0,01294 s 0,6 s
Figure 6: Time comparision on the expansion primitive Decrypt 0,002 s 0s
Expand 8,08505 s 1,9 s
The Expansion primitive had some difficulties in our
implementation, as shown in the Figure 66, the execution time
of this particular primitive is far too high in comparison to the The execution times shown in Table 5 were generated with
original implementation made by Coron. That occurred due to the “Small” parameters, created with the same propose as Toy,
the time access of the matrix, the generation of the random only for a functional analysis of the scheme, but with higher
numbers and characteristics intrinsic to the python language. parameters then Toy. It is possible to see a great difference in
the execution time of some primitives, for example, the
This variation of the scheme and this python execution time of the KeyGen primitive on the first variation is
implementation can be compared with other python more than two times bigger than the execution time on the
implementation of the second variation proposed by Coron. In second variation due to improvements added in the KeyGen,
the second variation the key size of the public key was reduced prosed by Coron.
even more, from a factor of complexity 𝒪̃ (λ7 ) to ̃𝒪 (λ5 ). That
reduction was gained at the cost of increasing the execution The encrypt primitive of the first variation is faster than the
time of the Recrypt primitive as Coron describe in his paper second variation due to the trade off on the processing-storage
[2]. In a simplistic way, was applied the concept of using a relation. The Expand primitive on the first variation is
pseudo random number generator to generate the necessary approximately four times slower than the second variation, for
values in execution time, only storing correction factors of the same reason previous explained.
 The source code of both implementations are available for
the scientific community in the GitHub website for further
modifications and improvement [9][10].
VI. FUTURE WORKS
The continuity of this work will be the improvement of
python code, with the objective of gaining a more efficient
code. The knowledge accumulated in the creation of this script
can also be used in the implementation of such primitives in
faster language, such as C. Another way to reach
improvements would be the use of code parallelism or the
Python-specific Numba library, as the experiments showed that
these could generate significant gains.
Currently there are undergrad students in our institution
working on porting said code to FPGAs and studying it’s use
as authentication on smart cards, being both areas fruitful for
applications with cryptography. Besides the FPGA technology,
research is being made to run an OpenCL or CUDA version of
this code in a general-purpose computing, using a graphics
processing units (GPGPU). The use a “many-core” architecture
could result in a significant improvement of the execution
times on the primitives. As an early result of that research, a
parallel execution is proposed in the Figure 7where multiple
instances of the FHE algorithm runs independently on each
input bit.
Figure 7: Proposal of paralell execution
View publication stats
ACKNOWLEDGMENT
We want to express our sincere thank you to all the teachers
of the Univem department of computer science, who helped us
during our undergrad course and in these works. We would
also like to thank CNPq (National council for scientific and
technological development), who gave us studentship and
allowed us to work on full time.
A special thanks goes to Prof. Dr. Fábio Dacêncio Pereira,
our advisor teacher.
REFERENCES
[1] GENTRY, C., e HALEVI, S., "Implementing Gentry's fully-
homomorphic encryption scheme," Advances in Cryptology-
EUROCRYPT 2011, pp. 129-148, 2011.
[2] CORON, J.S., MANDAL, A., NACCACHE, D. e TIBOUCHI, M.,
Fully Homomorphic Encryption over the Integers with Shorter Public
Keys. In P. Rogaway (Ed.), CRYPTO 2011, LNCS, vol. 6841, Springer,
pp. 487-504. Full version available at IACR eprint, 2011.
[3] CORON, Jean-Sébastien; NACCACHE, David; TIBOUCHI, Mehdi.
Public key compression and modulus switching for fully homomorphic
encryption over the integers. In: Advances in Cryptology–
EUROCRYPT 2012. Springer Berlin Heidelberg, 2012. p. 446-464.
[4] DIJK., M. VAN, GENTRY, C., HALEVI, S. e VAIKUNTANATHAN,
V., Fully homomorphic encryption over the integers. In H. Gilbert (Ed.),
EUROCRYPT 2010, LNCS, vol. 6110, Springer, pp. 24-43, 2010.
[5] GENTRY, C.,A fully homomorphic encryption scheme. Ph.D. thesis,
Stanford University, 2009, Disponivel
em:http://crypto.stanford.edu/craig.
[6] BRAKERSKI, Zvika; VAIKUNTANATHAN, Vinod. Efficient fully
homomorphic encryption from (standard) LWE. SIAM Journal on
Computing, v. 43, n. 2, p. 831-871, 2014.
[7] BRAKERSKI, Zvika, Craig GENTRY, and Vinod
VAIKUNTANATHAN. "(Leveled) fully homomorphic encryption
without bootstrapping." Proceedings of the 3rd Innovations in
Theoretical Computer Science Conference. ACM, 2012.
[8] PAILLIER, Pascal. Public-key cryptosystems based on composite
degree residuosity classes. In: Advances in cryptology—
EUROCRYPT’99. Springer Berlin Heidelberg, 1999. p. 223-238.
[9] Python implementation of Fully Homomorphic Encryption over the
Integers with Shorter Public Keys. Available:
https://github.com/lCardosoSantos/Coron441
[10] Python implementation of the Public Key Compression and Modulus
Switching for Fully Homomorphic Encryption over the Integers.
Available: https://github.com/lCardosoSantos/Coron440
[11] BILAR, Guilherme. SANTOS, Luan Cardoso. "Implementação do
esquema totalmente homomórfico sobre inteiros de chave reduzida" In:
XIV Simpósio Brasileiro em Segurança da Informação e de Sistemas
Computacionais, Anais, p. 444- 453, 2014.