This section will describe a few common partially homomorphic encryption cryptosystems: RSA, El Gamal, Paillier and Goldwasser–Micali. The encryp- tion and decryption algorithms are given to prove their homomorphic prop- erties. A similarity between the schemes is that each multiply cipher values within a large modulo to compute their homomorphic function. Hence this operation was the first to be analysed in this thesis for making homomorphic encryption practical, leading to Hypothesis 1 (discussed in Appendix A).
Rivest-Shamir-Adleman Cryptosystem
The encryption and decryption algorithms for Rivest-Shamir-Adleman cryp- tosystem (RSA) are now given: E(m) = me mod n and D(c) = cd mod n. Both raise a message (plain or cipher) to an exponent inside a modulon. The proof of RSA supporting a homomorphic multiplication operation is given be- low. The two messages are multiplied together because their exponents are the same; therefore, two cipher values can compute a multiplication operation.
E(m0)×E(m1) =me0 ×m e 1 modn = (m0×m1)e mod n ∴m0 ×m1 modn El Gamal
The security strength of El Gamal is based on the NP-hardness of solving discrete logarithms, which was first proposed in 1985 by Taher Elgamal [5]. There is no publicly known algorithm to solve (break) it quickly (assuming a large key size, for example 2048 bits). The encryption algorithm E(m) = [αk mod p, βk × m mod p], where k is random and the remaining are public knowledge, is unique in that the cipher is made up of two parts. The decryption algorithm joins these parts together with the secret d, D(c) = (βk×m)× (αk)−d modp. The important aspect for this thesis is that El Gamal supports homomorphic multiplication operations on encrypted data, proven below. The two β values can be seen as the encryption of a single value because theks are random, so they can just be combined into another random value.
E(m0)×E(m1) = [αk0 ×αk1 modp, βk0 ×m0×βk1 ×m1 modp]
= [αk0+k1 modp, βk0+k1 ×m
0×m1 mod p]
= [αk mod p, βk×m0×m1 modp]
Paillier
Proposed in 1999 by Pascal Paillier [6], the Paillier cryptosystem is based on the fact that computing nth residue classes is hard. The encryption algorithm is E(m) = gm×rn mod n2, where r is random, and decryption is achieved throughD(c) =L(cλ modn2)×u mod n. The homomorphic operation sup-
ported by the Paillier cryptosystem is addition. This is achieved by multiplying two cipher values together and is proven below. Addition is achieved because the message m is now the exponent, unlike RSA. The random values (r0 and
r1) can just be combined as a single random valuer.
E(m0)×E(m1) = (gm0 ×r0n)(gm1 ×r1n) modn2 =gm0+m1 ×rn 0 ×r n 1 mod n 2 =gm0+m1 ×rn modn2 ∴m0+m1 modn Goldwasser–Micali
The previous partially homomorphic encryption cryptosystems have encrypted integers, whereas the cryptosystem presented by Shafi Goldwasser and Silvio Micali in 1982 only encrypts individual bits [47]. This is because it is based on the quadratic residuosity problem, where a cipher value is either a quadratic residue or not for some modulo (only two possible results). The encryption algorithm, E(m) = y2×xm mod n where m ∈ {0,1} and y is random, such that gcd(y, n) = 1 or y is in the group of units modulo n. The decryption algorithm just performs the test to see if the cipher value is a quadratic residue in modulo n, resulting in two possible values {0,1}. This cryptosystem is unique in that it supports a homomorphic XOR operation, as proven below. Technically, it is still an addition operation; however, the result can only be {0,1}. Therefore, two bits of value 1 will makex2, which is equivalent to x0.
E(m0)×E(m1) = y02×y 2 1×x m0 ×xm1 mod n =y02×y21×xm0+m1 modn ∴m0+m1 mod 2 ∴m0⊕m1
(0,0)
v0
v1
L P
Figure 2.1:Finding the nearest lattice point for a pointP in 2-dimensions
2.1.3 Lattice Based Cryptography
Fully homomorphic encryption schemes are primarily based on the hardness of lattice-based problems. Two lattice problems which cryptography can be built upon are the Closest Vector Problem (CVP) and Shortest Vector Problem (SVP) [50].
Definition Given a point P and the latticeM, the Closest Vector Problem asks
us to find the nearest lattice point L in M.
In Figure 2.1, it is easy to see the closest lattice point in pictorial form, but because a computer is only given a matrix, and the dimensions are much larger, it makes finding the closest lattice point more computationally intensive.
Definition Given the lattice M, the Shortest Vector Problem asks us to find
the smallest non-zero vector V in M.
Non-zero is important because every lattice technically has a zero vector. In Figure 2.1, this is simply v0, because the example lattice is only showing the
basis vectors. However, if larger vectors are given, there may exist a smaller vector which can make up the fundamental region. Note that CVP is actually a generalization of SVP, because if you are given an oracle (function) for CVP, it is possible to find the shortest vector by querying the oracle [51][52]. Therefore, because CVP is a NP-Hard problem, so is SVP [53][54].