Comparison-Based Computations Over Fully

1

Comparison-Based Computations Over Fully Homomorphic Encrypted Data Mihai Togan1,∗ and Cezar Ple¸sca1 - Research and Development, Bucharest, Romania ∗ Corresponding author (E-mail : [email protected])

1 certSIGN

Abstract—The possibility of outsourcing computation to the cloud offers businesses and individuals substantial cost-savings, flexibility, and availability of compute resources, but potentially sacrifices privacy. Homomorphic encryption can help address this problem by allowing the user to upload encrypted data to the cloud, on which the cloud can then operate without having the secret key. The cloud can return encrypted outputs of computations to the user without decrypting the data, thus providing data hosting and services without compromising privacy. This paper contribution is two-fold. First, it presents a survey into the subject of fully homomorphic encryption and highlights scenarios where homomorphic encryption could be an appropriate solution. Secondly, we focus on the modeling of number comparison in terms of homomorphic encryption. This approach is then used for applications such as the maximum value from a vector or the sorting problem. Key words - homomorphic encryption, learning with errors, encrypted comparison, HElib.

I. I NTRODUCTION The notion of homomorphic encryption scheme, originally called privacy homomorphism, was introduced in [1]. Ideally, one should be able to transmit encrypted information to the server, process the encrypted data on the server and retrieve processed data from the server. This ideal situation, for long renown as the "Holly Grail of Cryptography", has finally got a brake through in 2009 by Craig Gentry in his Ph.D. thesis [5]. The idea is that any operation can be reduced to the basic addition and multiplication operations on bit level. Since cloud storage and cloud computing platforms were developed, users have the ability to outsource storage and computations on their data. Further it allows businesses to offload the task of maintaining a data-center. However, consumers and businesses are concerned about a possible loss of privacy which leads to an slow adoption of cloud services. The privacy concerns can be mitigated if users encrypt the data sent to the cloud. If the used encryption scheme is homomorphic, the cloud could perform meaningful computations on the encrypted data. The main issue in this context is the question if fully homomorphic encryption schemes are efficient enough to be practical for cloud computing. Craig Gentry estimated in an article [9] that performing a Google search with encrypted keywords would multiply the necessary computing time by around 1 trillion. A more scientific analysis of Gentry’s fully homomorphic encryption system was done in [14], but c 2014 IEEE 978-1-4799-2385-4/14/$31.00

Gentry’s estimation should make clear that the performance penalty of this scheme is way to big to use it in practice. In [11], Lauter, Baehrig and Vaikuntanathan provided few concrete applications of homomorphic encryption and argued that there are many functions which could be useful for privacy preserving cloud services, which can be computed by many additions and a small number of multiplications on cipher-texts. For example, averages require no multiplications, standard deviation requires one multiplication, and predictive analysis such as logistical regression requires few multiplications. Using a recently proposed leveled homomorphic encryption scheme, Graepel et al. show in [18] that it is possible to delegate the execution of a machine learning algorithm to a computing service while retaining confidentiality of the training and test data. They defined a new class of machine learning algorithms in which the algorithm’s predictions, viewed as functions of the input data, can be expressed as polynomials of bounded degree. A confidential algorithms is then proposed for binary classification based on polynomial approximations to least-squares solutions obtained by a small number of gradient descent steps. Straightforward implementation of many machine learning algorithms requires operations which are not necessarily represented by a low-degree polynomial such as comparison and division, making difficult to adapt certain algorithms to operate on encrypted data. For instance, a comparison x > y is not polynomial, unless the inputs are encrypted bit-wise and a deep circuit for comparison is implemented. Solving this problem may lead to practical implementations for the sorting problem or some other problem like K-Means clustering algorithm, which requires ordering neighbors according to distance. The rest of this article is organized as follows: first, we present the main definitions and notations used throughout the paper. We show some of the schemes developed after Gentry’s breakthrough, with focus on the method that was really implemented in the form of a software library called HElib. In the second part of the paper, we model the numbers comparison in terms of homomorphic encryption, and test this approach using HElib. Finally, we discuss a comparison-based application, namely the maximum value from a vector. Conclusions about the current state of homomorphic encryption and possible directions to improve the existing concepts ends our paper.

II. A BSTRACT F ULLY H OMOMORPHIC E NCRYPTION S CHEMES An encryption scheme E has three algorithms: KeyGenE , EncryptE , and DecryptE , all of which must run in polynomial time in the security parameter λ, that specifies the bitlength of the keys. In a symmetric, or secret-key, encryption scheme, KeyGenE uses λ to generate a single key that is used in both EncryptE and DecryptE , first to "transform" a message into a ciphertext, and then to map the ciphertext back to the message. In an asymmetric, or public-key, encryption scheme, KeyGenE uses λ to generate two keys: a public encryption key pk, which may be made available to everyone, and a secret decryption key sk. A homomorphic encryption scheme has a fourth algorithm EvaluateE , that takes as input the public key pk, a circuit C, and a tuple of ciphertexts Ψ = (ψ1 , ..., ψt ) and outputs a ciphertext ψ. The fourth algorithm must also run in polynomial time in the security parameter λ and the size of C. We say that E is correct for a circuit C, if for any key-pair (sk, pk) output by KeyGenE , and any tuple of ciphertexts Ψ = (ψ1 , ..., ψt ), with ψi ← EncryptE (pk, πi ), we have that DecryptE (sk, ψ) = C(π1 , ..., πt ),

(1)

where ψ ← EvaluateE (pk, C, Ψ). We say that E is homomorphic for circuits in CE , if E is correct for any C ∈ CE . The encryption scheme E is fully homomorphic if it is homomorphic for all circuits. We shall assume that the decryption algorithm of an encryption scheme can be expressed as a circuit of polynomial size in the security parameter λ. A family of schemes {E d : d ∈ N} is leveled fully homomorphic if they all use the same decryption circuit, E d is homomorphic for all circuits of depth at most d (using some set of gates Γ), and the computational complexity of E d ’s algorithms is polynomial in λ, d, and (in the case of EvaluateE d ) the size of C. For a gate g ∈ Γ, the g-augmented decryption circuit consists of a g-gate connecting multiple copies of the decryption circuit. The set of g-augmented decryption circuits, g ∈ Γ is denoted by DE (Γ). If CE is a set of circuits with respect to which E is homomorphic, then we say that E is bootstrappable with respect to Γ if DE (Γ) ⊆ CE . The main result of [5] is the following: Theorem: One can construct a family {E d }d∈N of leveled fully homomorphic encryption schemes from any bootstrappable encryption scheme E. We don’t give here the construction, but we mention that in the next chapter we will briefly review the main ideas involved in the cases we are interested in: E is bootstrappable with plaintext space P = {0, 1}, and circuits are boolean. Let us finish this section by saying that the "limit" of this family of leveled fully homomorphic encryption schemes may be viewed as a fully homomorphic encryption scheme. A. Fully Homomorphic Encryption over the Integers We begin the story about fully homomorphic encryption with the simplest known scheme which involves only the ring of integers. Even though this scheme is chronologically older than the first FHE scheme described in Gentry’s thesis [5],

we believe that anyone who aspires to understand Gentry’s approach towards FHE, should start with this one. Following [9] we consider the following encryption scheme E: KeyGenE (λ): The key is a random P -bit odd integer p. EncryptE (p, m): To encrypt a bit m ∈ {0, 1}, set m0 to be a random N -bit number such that m0 ≡ m (mod 2). Output the ciphertext c ← m0 +pq, where q is a random Q-bit number. DecryptE (p, c): Output [c]p mod 2, where [c]p is the unique integer in (−p/2, p/2), that is congruent to c modulo p. EvaluateE (pk, f, c1 , ..., ct ): Express the boolean function f as a circuit C with XOR and AND gates. Let C † be the same circuit as C, but with XOR and AND gates replaced by addition and multiplication gates over the integers. Let f † be the multivariate polynomial that corresponds to C † . Output c ← f † (c1 , ..., ct ). Notice that decryption works if the noised message m0 has size less than p/2, in other words if N ≤ P − 1 then the decryption algorithm outputs m for the input c (where c is a valid encryption of m). The scheme becomes homomorphic if we simply add or multiply the cipher-texts as integers, however we run into trouble because these operations increase the noise associated to the resulting cipher-texts. Unfortunately, in the end the noise becomes so large that the decryption algorithm no longer returns the correct result. One can show that the scheme E is already powerful because it can handle an elementary symmetric polynomial of degree d
in t variables, as long as 2N d · dt < p2 , which is true (roughly) η . That E can evaluate polynomials of when d < N +log 2t such high degree makes it "homomorphic enough" for many applications, e.g. it works well when f † is a basic keyword search. Recall that an encryption scheme E is bootstrappable if it is able to handle its own decryption function. Starting with a bootstrappable scheme E, Gentry’s recipe produces a fully homomorphic encryption scheme E † . We give a brief description of this construction. Suppose that the cipher-text c1 encrypts the bit m under the public key pk1 . Suppose also that we have encrypted the secret key sk1 : let sk1 be a vector of cipher-texts that encrypt the bits of sk1 under another public key pk2 via EncryptE (pk2 , sk1j ). Consider the following algorithm. RecryptE (pk2 , DE , sk1 , c1 ). Generate c1 via EncryptE (pk2 , c1j ) over the bits of c1 Output c ← EvaluateE (pk2 , DE , sk1 , c1 ) For any encryption scheme the decryption circuit takes as inputs the bits of a secret key and the bits of a ciphertext. In RecryptE , the decryption circuit has input wires for sk1 and c1 , each encrypted under pk2 . Since E is used to evaluate the decryption circuit homomorphically, the output c of RecryptE is an encryption under pk2 of DecryptE (sk1 , c1 ) = m. Therefore, the algorithm RecryptE outputs a new encryption of m, but under pk2 . Notice that evaluating DE removes the noise associated to c1 under pk1 (because decryption removes noise), but

EvaluateE simultaneously introduces new noise while evaluating the ciphertexts under pk2 . As long as the new noise added is less than the old noise removed, we have made progress. Since our goal is to perform actual operations on underlying messages, not merely to obtain a new encryption of the same message, we shall use RecryptE after each gate to obtain "fresh noise". Suppose that E can handle DE augmented by some gate, say Add, call this augmented circuit DAdd (recall that DE augmented by Add consists of two copies of DE connected by an Add gate). If c1 and c2 are two ciphertexts that encrypt m1 and m2 , respectively, under pk1 , and we compute c1 and c2 as before, then we have that c ← EvaluateE (pk2 , DAdd , sk1 , c1 , c2 )

(2)

is an encryption under pk2 of m1 ⊕ m2 . The fully homomorphic encryption scheme E † is obtained by recursing this process. The secret key in E † consists of a sequence (sk1 , ..., skl ), whereas the public key consists of a sequence (pk1 , ..., pkl+1 ) and a a chain of encrypted secret keys (sk1 , ..., skl ) (where ski is an encryption of ski under pki+1 ). To evaluate a function f in E † , express it as a circuit, arrange its gates into levels, and step through the levels sequentially. For a gate at level i + 1, we take as input the encrypted secret key ski and a couple of ciphertexts associated to output wires at level i that are under pki , and we homomorphically evaluate DGate to get a ciphertext under pki+1 associated to a wire at level i + 1. Finally, we output the ciphertext associated to the output wire of f . Unfortunately, the scheme E is not bootstrappable, so that we need to transform it into a new scheme E ∗ by replacing the E’s decryption function with an circuit that adds a fairly small set of numbers. During the transformation we shall use two integers 0 < α < β. KeyGenE ∗ (λ): Run KeyGenE (λ) to obtain keys (pk, sk), − where sk is an odd integer p. Generate a set → y = hy1 , ..., yβ i of rational numbers in [0, 2) such that there is a sparse subset P S ⊂ {1, ..., β} of size α with i∈S yi ≈ 1/p mod 2. Set sk∗ to be the sparse subset S encoded as a vector s ∈ {0, 1}β − with Hamming weight α. Set pk∗ ← (pk, → y ). EncryptE ∗ (pk∗ , m): Run EncryptE (pk, m) to obtain ciphertext c. For i ∈ {1, ..., β}, set zi ← c · yi mod 2, keeping only about log α bits of precision after the binary point for − each zi . The ciphertext c∗ consists of c and → z = hz1 , ..., zβ i. → − The moral is that the hint y is used to post-process a ciphertext c output by EncryptE ∗ , with the objective of leaving less work remaining for DecryptE ∗ to do. P DecryptE ∗ (sk∗ , c∗ ): Output (c − b i si zi e) mod 2 where b·e rounds to the nearest integer. Decryption works, since (up to small precision errors) X X X si zi = si cyi = c · yi = c/p mod 2 (3) i

i

i∈S

The important thing about EncryptE ∗ is that is defined by a summation containing only α nonzero terms. The bits of this summation can be computed by a polynomial of degree

α · polylog(α) which E ∗ can handle if we set α small enough. The scheme E ∗ becomes bootstrappable, for example, if we set the parameters N = λ, P = λ2 , Q = λ5 , and α = λ/polylog(λ). Since the public key and the secret key are both represented by the odd integer p, the above scheme is a symmetric homomorphic encryption scheme. One can turn it into a public-key scheme, but the procedure adds some complexity. As before, the secret key is p, however the public key consists of a list of integers that are essentially "encryptions of zero". To encrypt a message one chooses at random a subset from this list, computes the sum of its members and then add the result to m. For all the details of this procedure we refer the reader to [9]. The security is based on the hardness of the Approximate Common Divisor Problem (this is the problem of finding d, given a collection of integers of the form {dqi + ri }ti=0 with ri "small", see [12]), and Sparse Subset-Sum Problem (SSSP) (it should be difficult to distinguish between random subsets of Z and those that have sparse subsets that sum to 0, see [5]). III. F ULLY H OMOMORPHIC E NCRYPTION S CHEMES A. Fully Homomorphic Encryption using Ideal Lattices We start by giving a general construction of encryption schemes in terms of rings and ideals (see [5],[6]). We fix a ring R, that is set appropriately with respect to the security parameter λ, and two relatively prime ideals I and J, i.e. I + J = R. We fix a basis BI of I, and an algorithm IGen(R, BI ) that outputs public and secret bases BJpk and BJsk of J. Assume that if r ∈ R and BJ is a basis for the ideal J , then the value r mod BJ is unique and can be computed efficiently with respect to the basis. We use the notation R mod BJ to denote the set of distinguished representatives of the cosets r + J , r ∈ R, with respect to the particular basis BJ of J . We also use an algorithm Samp(x, BI , R, BJ ) that samples from the coset x + I. We have the following general public-key encryption scheme E: KeyGen(R, BI ): Takes as input a ring R, an ideal I, and a basis of it BI . Set BJpk , BJsk ← IGen(R, BI ). The plaintext space P is a subset of R mod BI . The public key pk includes R, BI , BJpk , and Samp. The secret key sk also includes BJsk . Encrypt(pk, π). Takes as input the public key pk and plaintext π ∈ P. It sets ψ 0 ← Samp(π, BI , R, BJpk ) and outputs ψ ← ψ 0 mod Bpk J . Decrypt(sk, ψ). Takes as input the secret key sk and a cipher-text ψ. It outputs π ← (ψ mod Bsk J ) BI . Evaluate(pk, C, Ψ). Takes as input the public key pk, a circuit C in some permitted set CE of circuits composed of AddBI and MultBI gates and a set of input cipher-texts Ψ. It invokes Add and Mult, given below, in the proper sequence to compute the output cipher-text. Add(pk, ψ1 , ψ2 ). Outputs ψ1 + ψ2 mod Bpk J . Mult(pk, ψ1 , ψ2 ). Outputs ψ1 × ψ2 mod Bpk J . Let us discuss in what follows the example of the above abstract construction considered in [14]. Let R = Z[x]/(xn +1),

where n is a power of 2. The ideal I is chosen to be I = (2). The plain-text space is {0, 1}, which is embedded in R/I = {0, 1}n by encoding 0 as 0n and 1 as 0n−1 1. The ideal J is chosen to be principal generated by the polynomial v(x), and such that J = (d, x − r), where the odd integer d is the resultant of the polynomials v(x) and xn + 1, and r ∈ Z is a root of xn + 1 modulo d. The public key is determined by the two integers d, r, whereas the secret key consists of the pair (v, w), where w is the scaled inverse of v, i.e. v × w = d modulo xn + 1. To encrypt the bit m, the scheme chooses a polynomial u(x) with small coefficients, and outputs the ciphertext c ← [m+2u(r)]d . To decrypt, let wi be one of the odd coefficients of w, then the bit m is recovered as m = [cwi ]d (mod 2). Unfortunately, the scheme is not bootstrappable, so that one needs to "squash" the decryption circuit using a procedure similar to the one from the previous section. The security of the scheme is based on the "bounded distance decoding" problem (i.e. finding the closest lattice point to a given point in the ambient space, see [4]), and on SSSP, as before.

B. Fully Homomorphic Encryption from LWE The simplest and yet the most powerful fully homomorphic encryption scheme known to date was constructed in [13]. The whole construction is based on the so called "learning with errors" (LWE) problem, first presented by Regev in [2], see also [10]. The LWE assumption states that if s ∈ Znq is an n dimensional (secret) vector, any polynomial number of "noisy" random linear combinations of the coefficients of s are computationally indistinguishable from uniformly random elements in Zq . More precisely: poly(n)

{ai , hai , si + ei }i=1

c

poly(n)

≈ {ai , ui }i=1

(4)

where ai ∈ Znq and ui ∈ Zq are uniformly random, and the "noise" ei is sampled from a noise distribution that outputs numbers much smaller than q (for example is a discrete Gaussian distribution over Zq with small standard deviation). The LWE problem is at least as hard as finding short vectors in any lattice (see [2] and [7]). To encrypt a bit m choose a random a ∈ Znq , a "noise" e ∈ Zq , and compute b ← m + 2e + ha, si (here s is the public/secret key). The cipher-text is c ← (a, b) ∈ Zn+1 . To q decrypt, compute b − ha, si; the result is 2e + m (mod q), and since e is chosen to be much smaller than q, we get that 2e + m (mod q) = 2e + m. Finally, compute 2e + m (mod 2). The scheme is homomorphic with respect to addition, until too much noise accumulates. To make it homomorphic with respect to multiplication one needs to use the re-linearization technique introduced in [13] and refined in [15]. The method allows to do one multiplication by encrypting the product under a new secret key. Posting a "chain" of L secret keys allows one to perform up to L levels of multiplications. This new construction produces a leveled fully homomorphic encryption scheme without using Gentry’s bootstrapping procedure.

IV. I MPLEMENTING A H OMOMORPHIC C OMPUTATION This section will show a way to implement several computations that requires integer comparison, such as the maximum value of a vector or the sorting vector problem. This take us to a fundamental exercise, namely comparing two homomorphic encrypted integers, which will be explain further. A. Cypher-Integer Comparison We want to compare two integers X and Y binary represented as X = xn−1 xn−2 · · · x0 and Y = yn−1 yn−2 · · · y0 . Comparing X and Y translates to bit comparison, from the msb to the lsb; therefore, a toy example is to consider two bit comparison, x and y. The binary expressions (computation is done in Z2 ) corresponding to three of their possible relations are the following: x > y ⇔ xy + x = 1

(5)

x=y ⇔x+y+1=1

(6)

x ≤ y ⇔ xy + x + 1 = 1

(7)

This means that if we have the FH encryptions of x and y, namely Cx and Cy , we can evaluate C = Cx · Cy + Cx (using “(5)”). Upon decryption of C, one can know if x > y (i.e. Dec(C) = 1) or x ≤ y (i.e. Dec(C) = 0). Let’s consider the case of two integers X = x1 x0 and Y = y1 y0 represented on n = 2 bits. The binary expression that could be used to evaluate the relation X > Y is the following: x1 x0 > y1 y0 ⇔ (x1 > y1 ) ∨ (x1 = y1 ) ∧ (x0 > y0 ) = > ⇔ (x1 y1 + x1 ) + (x1 + y1 + 1)(x0 y0 + x0 ) = 1 ⇔ x1 y1 +x1 +x1 x0 y0 +x1 x0 +y1 x0 y0 +y1 x0 +x0 y0 +x0 = 1 (8) The last line of “(8)” gives a polynomial F (x1 , x0 , y1 , y0 ) (or shortly F (X, Y )) that needs to be evaluated on the cypherbits of X and Y to obtain the encrypted version of the relation X > Y . Similarly, one can obtain the corresponding binary evaluation polynomials for relations X = Y and X ≤ Y . Moreover, a simple reasoning by induction could prove that, for a n-bits representation, the evaluation functions for X > Y and X ≤ Y lead to n + 1 degree polynomials while X = Y conduct to a n degree polynomial. Nevertheless the number of multiplications involved in such an evaluation, could be reduced to dlog2 (n)e using appropriate factor grouping. The previous (naive) approach of finding the evaluation function corresponding to an n-bits integer comparison circuit becomes more complex and quite difficult to compute as n increases. Therefore, a more elegant and simpler solution could use a divide-and-conquer approach as presented in [3]. Namely, for two n-bits integers X and Y and taking l = dn/2e, we have the following decomposition into: msb(X)

lsb(X)

msb(Y )

lsb(Y )

z }| { z }| { z }| { z }| { xn−1 · · · xl xl−1 · · · x0 > yn−1 · · · yl yl−1 · · · y0 ⇔ (msb(X) > msb(Y )) ∨ (msb(X) = msb(Y )) ∧ (lsb(X) > lsb(Y )) (9)

This property suggests a method that would first split the bit strings X and Y in about equally long parts, compare these parts recursively, and then combine these to produce the final output. If the recursive approach from “(9)” is possible at the boolean logic level, then it is naturally applicable at the Z2 arithmetic level. To evaluate F (X, Y ) for X > Y using Z2 arithmetic operations (as seen in “(8)” for n = 2), we introduce the following auxiliary functions: 1) ti,j is the boolean value corresponding to the truth value of the expression xi+j−1 · · · xi > yi+j−1 · · · yi 2) zi,j is the boolean value corresponding to the truth value of the expression xi+j−1 · · · xi = yi+j−1 · · · yi 3) si,j is the boolean value corresponding to the truth value of the expression xi+j−1 · · · xi ≥ yi+j−1 · · · yi Expressed explicitly in terms of the bits of X and Y , a full solution for X > Y and X ≥ Y is obtained by evaluating t0,n and s0,n respectively, using the following recurrences (choosing each time l = dj/2e):  xi yi + xi , j=1 ti,j = (10) ti+l,j−l + zi+l,j−l ti,l , j > 1  xi + yi + 1, j = 1 zi,j = (11) zi+l,j−l zi,l , j > 1  xi yi + yi + 1, j=1 si,j = (12) ti+l,j−l + zi+l,j−l si,l , j > 1 Correctness of the computation follows from the same decomposition principle illustrated in “(9)”. The depth of the equivalent boolean circuit is exactly dlog2 (n)e, hence O(log(n) with hidden constant 1 for the base-2 logarithm. Given the divide-and-conquer approach of “(11)”, the number of multiplications for z evaluation for n = 2k is straightforward given by the formula: 1 + 21 + 22 + · · · + 2k−1 = n − 1

(13)

Let C(n) be the number of multiplications for t evaluation. Following the recurrence formula from “(10)”, and restricting the analysis to n a power of 2, C(n) can be expressed as: n n  n n n C(n) = C + − 1 +C +1 = 2C + (14) 2 2 2 2 2 This recurrence is just a special case of the well known master theorem, a technique used in algorithm complexity analysis, which allows to solve general recurrences of the form T (n) = aT (n/b) + f (n). Therefore, the number of multiplications to evaluate the relation order X > Y is given by:   log2 (n) C(n) = n 1 + (15) 2 B. Maximum Problem Knowing to compare two encrypted integers, let’s construct a protocol to find the maximum value from an encrypted vector of integers. Formally, considering a vector of n elements {v1 , v2 · · · vn } and its component-wise encrypted version {c1 , c2 · · · cn }. Let’s call F an evaluation function that allows us to compare two numbers, in the sense of order relation x ≥ y; hence, F (x, y) = Enc(1) ⇔ x ≥ y. A value vi is the maximum, if the following relations hold:

vi ≥ v1 ⇔ F (vi , v1 ) = Enc(1) vi ≥ v2 ⇔ F (vi , v2 ) = Enc(1) ··· vi ≥ vn ⇔ F (vi , vn ) = Enc(1) Therefore, computing the product P (i) of all F (vi , vj ) factors (j 6= i), we should obtain an encryption of 1. Conversely, if vi is not the maximum value of the vector, there is at least one value j leading to F (vi , vj ) = Enc(0), hence the overall product becoming an encryption of 0. Having the encrypted numbers in the cloud, the protocol to find the maximum value requires the computation of P (i) for all encrypted numbers and the sending of the encrypted values to the client. The client decrypts the stream of P (i) until it finds a value of 1. It then asks to the cloud to send the corresponding encrypted information Enc(vi ) from which the client finds the maximum value of the vector. The number of informations sent from cloud to the client is the same as the complexity of the maximum problem solved for unencrypted values, i.e. O(n), with n/2 informations sent in average. P (i) =

Y

F (vi , vj ); P (i) = Enc(1) ⇔ vi ≥ vj ∀j 6= i (16)

j6=i

C. Experimenting with HElib The most efficient fully homomorphic encryption scheme has been implemented by the IBM research team conducted by S. Halevi and V. Shoup using ideas that can be found in [15], [16], and [17]. The implementation is called Homomorphic-Encryption Library (HELib) and can be found at: https://github.com/shaih/HElib. This software library implements the RLWE homomorphic encryption scheme, along with many optimizations to make homomorphic evaluation runs faster. HElib is written in C++ and uses the NTL mathematical library. Our experiments with HElib were conducted on a machine equipped with a Intel(R) Xeon(R) E5-1620 at 3.60GHz CPU and 12GB memory. We implemented and tested the evaluation functions for the three order relations presented in “(10)”, “(11)”, “(12)”. For each of these relations, we randomly generate a set of integers pairs, FHE encrypt them and then we measure execution time of the comparison evaluation functions. In our tests, integers length binary representation varies from 1 to 16 bits. For the HElib context, mainly defined by security parameter (λ) and circuit depth (D), we choose the following values: λ ∈ {80, 128} and D = 8. The chosen value for D allows the comparison of integers whose length can be up to 28 = 256 bits. Table “I” presents the absolute average execution time (in seconds) for comparing 8 and 16 bits integers, respectively. One can notice the timing costs are quite expensive, even for a simple small integers comparison. In this manner, the secret key generated by HElib for our scenarios has a size of about 225MB for λ = 128 and 75MB for λ = 80.

Table I: Timing Costs (sec) for HE Comparison Operations Security Relations 8 bits 16 bits

= 5.045 11.656

λ = 80 > 11.147 29.035

≥ 11.402 29.269

= 5.764 13.376

λ = 128 > 12.843 33.429

≥ 13.018 33.613

The time execution of the “>” evaluation function with respect to the integer bit-length is illustrated in “Fig. 1” illustrates The time values are normalized by a constant factor, namely the time taken by a single cypher-text multiplication. In this figure, one can observe that the experimental curve is very close to the theoretical one given by “(15)”.

interesting to acknowledge if such implementations can exist within a more general framework, where the Galois groups are slightly more general. Notice that even in the commutative case (by Weber theorem, one is forced to consider only subfields of cyclotomic extensions), other cases might lead to improvements on the level of efficiency/ security of the encryption schemes. For example, one would start this line of investigation with the ring of integers of the maximal real subfield of the m-th cyclotomic field, i.e. R = Z[ζm + ζ1m ], with ζm a primitive m-th root of unity. ACKNOWLEDGEMENTS This paper contains work done in the research project "Development of technologies for securing data in Cloud" (no. 9DPST/2013) partially supported by Romanian UEFISCDI. R EFERENCES

Figure 1: Time Execution of Encrypted Comparison

V. C ONCLUSIONS This paper presents a survey into the most recent fully homomorphic encryption techniques and highlights scenarios where homomorphic encryption could be an appropriate solution. We focus on the algorithms based on number comparison and propose a modeling of this relationship order in terms of homomorphic encryption. We made a implementation of the proposed model using a recently FHE library, called HElib. We show how this approach can be applied to find the maximum value from an encrypted vector; many other applications such as sorting, searching or even K-Means clustering could benefit from this idea. The proposed method use a divide-etimpera aproach which is suitable for a parallel implementation within a cloud environment. All known fully homomorphic encryption schemes are based on hardness of lattice problems. One can ask the following natural question: can we construct fully homomorphic from other approaches, say, for example, from numbertheoretic assumptions? Can we bring in the issue of the hardness of factoring or discrete logarithms in this problem? Some of the applications of fully homomorphic encryption do not require its full power. Further improvements in the design of a fully homomorphic encryption scheme, can take into account approaches which use different specialization of Gentry’s blueprint recipe combined with GLWE method. The ring R used in all of the above described approaches is the ring of integers of some cyclotomic number field. In the implementation process, a vital property of these rings is that the associated Galois group is commutative. It is

[1] R. Rivest, L. Adleman and M. Dertouzos, “On Data Banks And Privacy Homomorphisms”, Foundations of Secure Computation, pp. 169–180, 1978. [2] O. Regev, “On Lattices, Learning With Errors, Random Linear Codes And Cryptography”, ACM Symposium On Theory of Computing, pp. 84–93, 2005. [3] J. Garay, B. Schoenmakers and J. Villegas, “Practical and Secure Solutions For Integer Comparison”, Public Key Cryptography, Lecture Notes in Computer Science, pp. 330–342, 2007. [4] N. Gama and P. Q. Nguyen, “Predicting Lattice Reduction”, Advances in Cryptology, Eurocrypt 2010, Lecture Notes in Computer Science, pp. 31–51, 2008. [5] C. Gentry, “A Fully Homomorphic Encryption Scheme”, PhD Thesis, Stanford University, http://crypto.stanford.edu/craig, 2009. [6] C. Gentry, “Fully Homomorphic Encryption Using Ideal Lattices”, ACM Symposium On Theory of Computing, pp. 169–178, 2009. [7] C. Peikert, “Public-key Cryptosystems From The Worst-Case Shortest Vector Problem: Extended Abstract”, ACM Symposium On Theory of Computing, pp. 333–342, 2009. [8] M. van Dijk, C. Gentry, S. Halevi and V. Vaikuntanathan, “Fully Homomorphic Encryption Over The Integers”, Advances in Cryptology, Eurocrypt 2010, Lecture Notes in Computer Science, pp. 24–43, 2010. [9] C. Gentry, “Computing Arbitrary Functions Of Encrypted Data”, Communications Of The ACM, pp. 97–105, 2010. [10] V. Lyubashevsky, C. Peikert and O. Regev, “On Ideal Lattices And Learning With Errors Over Rings”, Eurocrypt, Lecture Notes in Computer Science, pp. 1–23, 2010. [11] M. Naehrig, K. Lauter and V. Vaikuntanathan, “Can Homomorphic Encryption Be Practical? ”, ACM Workshop on Cloud Computing Security Workshop, pp. 113–124, 2011. [12] N. Howgrave-Graham, “Approximate Integer Common Divisors”, CaLC, Lecture Notes in Computer Science, pp. 51–66, 2011. [13] Z. Brakerski and V. Vaikuntanathan, “Efficient Fully Homomorphic Encryption From (Standard) LWE”, IEEE Symposium on Foundations of Computer Science, pp. 97–106, 2011. [14] C. Gentry and S. Halevi, “Implementing Gentry’s Fully-Homomorphic Encryption Scheme”, Advances in Cryptology, EuroCrypt 2011, Lecture Notes in Computer Science, pp. 129–148, 2011. [15] Z. Brakerski, C. Gentry and V. Vaikuntanathan, “Fully Homomorphic Encryption without Bootstrapping”, Innovations in Theoretical Computer Science Conference, pp. 309–325, 2012. [16] C. Gentry, S. Halevi and N. Smart, “Homomorphic Evaluation Of The AES Circuit”, Advances in Cryptology, Crypto 2012, Lecture Notes in Computer Science, pp. 850–867, 2012. [17] N. Smart and F. Vercauteren, “Fully Homomorphic SIMD Operations”, Designs, Codes and Cryptography, 2012. [18] T. Graepel, K. Lauter and M. Naehrig, “ML Confidential: Machine Learning on Encrypted Data”, Information Security and Cryptology, Lecture Notes in Computer Science, pp. 1–21, 2013.