^{1}

^{*}

^{2}

^{2}

In recent years, opportunities for using cloud services as computing resources have increased and there is a concern that private information may be leaked when processes data. The data processing while maintaining confidentiality is called secret computation. Cryptosystems can add and multiply plaintext through the manipulation of ciphertexts of homomorphic cryptosystems, but most of them have restrictions on the number of multiplications that can be performed. Among the different types of cryptosystems, fully homomorphic encryption can perform arbitrary homomorphic addition and multiplication, but it takes a long time to eliminate the limitation on the number of homomorphic operations and to carry out homomorphic multiplication. Therefore, in this paper, we propose an arithmetic processing method that can perform an arbitrary number of homomorphic addition and multiplication operations based on ElGamal cryptosystem. The results of experiments comparing with the proposed method with HElib in which the BGV scheme of fully homomorphic encryption is implemented showed that, although the processing time for homomorphic addition per ciphertext increased by about 35%, the processing time for homomorphic multiplication was reduced to about 1.8%, and the processing time to calculate the statistic (variance) had approximately a 15% reduction.

With the recent development of cloud services, there has been a growing trend of outsourcing computational tasks. This gives rise to the important security issue of protecting privacy, since personal information is being transferred. To solve the problem, homomorphic cryptosystems capable of computing plaintext by the manipulation of ciphertexts have attracted attention.

Homomorphic cryptosystems include additive homomorphic encryption that can perform only homomorphic additions such as Paillier encryption and lifted-ElGamal encryption, and multiplicative homomorphic encryption that can perform only homomorphic multiplications such as RSA encryption and ElGamal encryption [

Therefore, in this paper, we propose a system capable of both homomorphic addition and homomorphic multiplication based on the ElGamal cryptosystem by unifying the random number part normally included in ElGamal ciphertext with all ciphertexts. However, this situation raises concerns about a decline in security compared to the ordinary ElGamal cryptosystem. Hence, in the state other than homomorphic computation, it is in the form of ordinary ElGamal ciphertext. To accomplish this, we replace the value of r included in ElGamal ciphertext into constants or random numbers.

The rest of the paper is organized as follows. Homomorphic Cryptosystem is introduced in Section 2. In Section 3, ElGamal Cryptosystem is introduced. In Section 4, Fully Homomorphic Encryption is introduced. We propose an arithmetic processing method that can perform an arbitrary number of homomorphic addition and multiplication operations based on ElGamal cryptosystem in Section 5. Section 6 shows results of two experiments. Sections 7 - 9 draw discussion, future work, and conclusions.

A homomorphic cryptosystem can perform the addition and multiplication of plaintext by the manipulation of ciphertexts. When ciphertext E n c ( m 1 ) , E n c ( m 2 ) for plaintext m 1 , m 2 are given, E n c ( m 1 ∘ m 2 ) can be obtained without plaintext or a secret key, where ∘ is a binary operator such as addition or multiplication.

The ElGamal cryptosystem is a public key cryptosystem based on the premise that a discrete logarithm problem of a group with a large order is difficult. ElGamal cryptosystem consists of three components: the key generator, the encryption algorithm, and the decryption algorithm.

Key generation

Generate a cyclic group G of order q which is a large prime number. Select a generator g of G and a random integer x from { 0, ⋯ , q − 1 } . Compute h as follows.

h ≡ g x ( mod q )

The public key is ( G , q , g , h ) and the secret key is x.

Encryption

To encrypt a message m ∈ G , we randomly select r ∈ { 0, ⋯ , q − 1 } and compute c 1 , c 2 ∈ G 2 as follows.

c 1 ≡ g r ( mod q )

c 2 ≡ m g x r ( mod q )

The ciphertext is ( c 1 , c 2 ) .

Decryption

To decrypt a ciphertext ( c 1 , c 2 ) ∈ G 2 , we compute m ∈ G as follows.

c 2 c 1 x = m g x r g x r = m ( mod q )

The plaintext is m.

FHE is capable of arbitrary operations such as the addition and multiplication of plaintext by the manipulation of ciphertexts. When plaintext is encrypted, it adds constant noise according to security parameters. This noise increases with each homomorphic operation, and if the noise becomes too large, it becomes impossible to decrypt the ciphertext into the original plaintext. In particular, when homomorphic multiplication is performed, noise increases greatly. Therefore, developers created somewhat homomorphic encryption (SHE), which restricts the number of homomorphic multiplications. Then, in 2009, Gentry proposed Bootstrap as a method to reduce ciphertext noise in SHE. This makes it possible to take restrictions on SHE and implement FHE. However, Bootstrap is not practical from the viewpoint of processing speed because it greatly increases the number of calculations.

Since then, studies such as a method called packing for encrypting plural plaintexts into one ciphertext and a scheme for reducing noise of ciphertext without using Bootstrap are progressing [

Bootstrap

Bootstrap reduces noise accumulated in ciphertext by homomorphic operation. FHE makes the decipherability difficult to realize by adding noise to the ciphertext as the basis for security. This noise increases with each iteration of homomorphic operation, and if it exceeds a certain threshold value it can not decode correctly.

Bootstrap encrypts ciphertexts in which noise is stored again and performs decryption processing using the encrypted secret key. As a result of this decoding, a new ciphertext is accumulated in which only the noise required for decoding is stored. With this approach, Gentry realized the configuration of FHE.

In this paper, we propose a method capable of both homomorphic addition and homomorphic multiplication based on the ElGamal cryptosystem. In the proposed method, the random number part normally included in ElGamal ciphertext is unified with all ciphertexts. This allows for both homomorphic addition and homomorphic multiplication. However, since this situation raises concerns about a decline in security compared to the ordinary ElGamal cryptosystem, in the state other than homomorphic computation, it is in the form of ordinary ElGamal ciphertext. Hereafter, the form of the ciphertext at the time of homomorphic operation is called “an arithmetic form”, and the form of the ciphertext in other case is called “a stored form”.

We propose a delegating computation model in which encrypted data are transmitted from the user to the cloud, and the cloud performs arithmetic processing on those encrypted data.

It is assumed that the cloud includes a calculation server and a transformation server. The calculation server performs arithmetic operations such as statistical processing in the encrypted state, and the transformation server replaces the value of r included in ElGamal ciphertext into constants or random numbers (

We assume the roles of the user, the calculation server, the transformation server, the constraints imposed, and the functions as follows.

User

・ Know the plaintext

・ Encrypt the plaintext and send the encrypted data to the calculation server

・ Have a secret key

Calculation Server

・ Can not get the plaintext

・ When encrypted data are transmitted to the transformation server, they are multiplied by a random number

・ Do not collaborate with the transformation server

・ Do not have a secret key

Transformation Server

・ Can not get the plaintext

・ When plaintext are transmitted to the calculation server, it is multiplied by a random number

・ Do not collaborate with the calculation server

・ Have a secret key

In the arithmetic form of ciphertext, we unify the value of r included in ElGamal ciphertext by all ciphertexts. As a result, the arithmetic form of the ciphertext satisfies both additive homomorphism and multiplicative homomorphism.

Given ciphertexts c 1 = ( c 11 , c 12 ) = ( g r , m 1 g x r ) , 》 c 2 = ( c 21 , c 22 ) = ( g r , m 2 g x r ) where m 1 , m 2 ∈ G .

Additive Homomorphism

Compute ciphertext for m 1 + m 2 as follows.

c 12 + c 22 = m 1 g x r + m 2 g x r = ( m 1 + m 2 ) g x r

Then, using c 11 = c 21 = g r , output ( g r , ( m 1 + m 2 ) g x r ) .

Multiplicative Homomorphism

Compute ciphertext for m 1 ∗ m 2 as follows.

c 12 c 22 = m 1 g x r ∗ m 2 g x r = ( m 1 m 2 ) g 2 x r

Then, compute c 11 c 21 = g 2 r and output ( g 2 r , ( m 1 m 2 ) g 2 x r ) .

We show the method of mutual conversion between the arithmetic and the stored forms of ciphertext.

Conversion from Stored to Arithmetic Form

Given ( c i 1 , c i 2 ) = ( g r i , m i g x r i ) where i ∈ ℤ q , m i ∈ G , r i is a random number:

1) The calculation server generates a random number α i ∈ G and sends ( c i 1 , α i c i 2 ) to the transformation server.

2) The transformation server decrypts the received ciphertexts:

α i c i 2 c i 1 x = α i m i g x r i g x r i = α i m i

3) The transformation server generates ciphertexts from α i m i and random number r ∈ G and send them to the calculation server. r is generated while encrypting α 1 m 1 , and the same r is used for encryption of α i m i ( i = 2 , 3 , ⋯ ) . Also, when multiple processing contents are included in the calculation request, a different r is used for each processing content:

( c ′ i 1 , c ′ i 2 ) = ( g r , α i m i g x r )

4) The calculation server removes the random number α i from the received ciphertexts and computes ( g r , m i g x r ) .

Conversion from Arithmetic to Stored Form

Given ( c i 1 , c i 2 ) = ( g r , m i g x r ) where i ∈ ℤ q , m i ∈ G , r is a constant number:

1) The calculation server generates a random number β i ∈ G and sends ( c i 1 , β i c i 2 ) to the transformation server.

2) The transformation server decrypts the received ciphertexts:

β i c i 2 c i 1 x = β i m i g x r g x r = β i m i

3) The transformation server generates ciphertexts from β i m i and random number r i ∈ G and sends them to the calculation server:

( c ″ i 1 , c ″ i 2 ) = ( g r i , β i m i g x r i )

4) The calculation server removes the random number β i from the received ciphertexts and computes ( g r i , m i g x r i ) .

In this experiment, as the performance evaluation of the proposed method, statistical processing using homomorphic computation is performed and its processing time is measured. As a comparison target, HElib on which the BGV scheme of FHE is implemented was used. HElib is an open source library published by IBM and available in C ++. Also, implementation of the proposed method was done in C.

Experiment 1

We measure the processing time of homomorphic addition and homomorphic multiplication. We also measured the processing time of mutual conversion of the ciphertext between stored and arithmetic forms.

Experiment 2

We computed the variance of 1000 - 10,000 data items and measured the processing time. We converted the stored form to arithmetic form, performed statistical processing, and converted the arithmetic form to a stored form. Then, we measured the time taken for this series of flows.

The experimental environment was as follows.

・ OS: Ubuntu 18.04.1 LTS

・ CPU: Intel(R) Core(TM) i7-4790 CPU @ 3.60 GHz

・ Memory: 4 GB

・ Compiler: gcc 7.3.0, g++ 7.3.0

・ Library: NTL-11.0.0, GMP-5.0.4

・ Security: 1024 bit

As an experimental data set, we used the “Adult” labeled dataset provided by UCI. This data set contains 32,561 data items divided by 14 attributes such as age, gender, race, etc. In the experiment, we used the age attribute.

Experiment 1

We measured the processing time for homomorphic addition and homomorphic multiplication (see

Experiment 2

We measured the processing time taken to calculate the variance by homomorphic operations.

Experiment 1

Homomorphic Content | Proposed Method (μsec) | HElib (μsec) |
---|---|---|

Homomorphic Addition | 0.4834 | 0.3579 |

Homomorphic Multiplication | 1.0774 | 61.2303 |

Conversion to stored form | 28.9767 | × |

Conversion to arithmetic form | 73.7447 | × |

Number of Data | Proposed Method (sec) | HElib (sec) |
---|---|---|

1000 | 0.1071 | 5.7759 |

2000 | 0.2164 | 5.8716 |

3000 | 0.3234 | 5.8882 |

4000 | 0.4315 | 6.0660 |

5000 | 0.5336 | 6.3134 |

6000 | 0.6557 | 6.4208 |

7000 | 0.7514 | 6.6371 |

8000 | 0.8538 | 6.8953 |

9000 | 0.9630 | 7.0232 |

10,000 | 1.0736 | 7.3504 |

We measured the processing time for homomorphic addition and homomorphic multiplication and conversion. In the processing time of homomorphic addition, the proposed method required about 135% processing time compared with HElib, but the homomorphic multiplication reduced the processing time to about 1.8%.

Experiment 2

We measured variance was obtained using 1000 - 10,000 data items and we measured the processing time. In

We need to improve the security of the proposed method in which we convert from a stored form to an arithmetic form before the homomorphic operation. In arithmetic form, the value of r included in the ElGamal ciphertext ( g r , m g x r ) is unified in all ciphertexts. Therefore, when ElGamal ciphertexts c 1 = ( c 11 , c 12 ) = ( g r , m 1 g x r ) , c 2 = ( c 21 , c 22 ) = ( g r , m 2 g x r ) where m 1 , m 2 ∈ G , are given, they satisfy the following.

c 22 c 12 = m 2 m 1

Since the ratio of the plaintext can be obtained from the ratio of the ciphertexts, if any plaintext is deprived in any way, all the plaintexts will leak out. However, when converting to a stored form again and converting it to an arithmetic form from it, the value of r is unified in all ciphertexts, but it can be changed to a value different from the value of r before conversion.

In this paper, we propose the acceleration of homomorphic arithmetic processing based on the ElGamal cryptosystem and present experiments, evaluation, and discussion. The results of experiments comparing the proposed method with HElib showed that, although the processing time for homomorphic addition per ciphertext increased by about 35%, the processing time for homomorphic multiplication was reduced to about 1.8%, and the processing time to calculate the statistic (variance) had approximately a 15% reduction.

The authors declare no conflicts of interest regarding the publication of this paper.

Jogan, T., Matsuzawa, T. and Takeda, M. (2019) Acceleration of Homomorphic Arithmetic Processing Based on the ElGamal Cryptosystem. Communications and Network, 11, 1-10. https://doi.org/10.4236/cn.2019.111001