Wireless Communications and Mobile Computing

Wireless Communications and Mobile Computing / 2018 / Article
Special Issue

Security and Privacy Challenges for Internet-of-Things and Fog Computing

View this Special Issue

Research Article | Open Access

Volume 2018 |Article ID 5787930 | 7 pages | https://doi.org/10.1155/2018/5787930

Privacy Protection of IoT Based on Fully Homomorphic Encryption

Academic Editor: Ximeng Liu
Received04 Mar 2018
Revised27 Apr 2018
Accepted15 May 2018
Published20 Jun 2018

Abstract

With the rapid development of Internet of Things (IoT), grave questions of privacy protection are raised. This greatly impacts the large-scale applications of IoT. Fully homomorphic encryption (FHE) can provide privacy protection for IoT. But, its efficiency needs to be greatly improved. Nowadays, Gentry’s bootstrapping technique is still the only known method of obtaining a “pure” FHE scheme. And it is also the key for the low efficiency of FHE scheme due to the complexity homomorphic decryption. In this paper, the bootstrapping technique of Halevi and Shoup (EUROCRYPT 15) is improved. Firstly, by introducing a definition of “load capacity”, we optimize the parameter range for which their bootstrapping technique works. Next we generalize their ciphertext modulus from closing to a power of two to more general situations. This enables the method to be applied in a larger number of situations. Moreover, this paper also shows how to introduce SIMD homomorphic computation techniques into the new method, to improve the efficiency of recryption.

1. Introduction

Nowadays, the IoT is becoming an attractive system paradigm to drive a substantive leap on goods and services through physical, cyber, and social spaces. It covers from traditional equipment to general household equipment, which bring more efficiency and convenience to the users and change current ways of life greatly [1]. See Figure 1.

However, the application of IoT involves mass private information about users, such as healthcare, location, etc. For the users, they want service providers to process the data accurately and efficiently and extract the contained valuable information with keeping user data unknown by others (including themselves). All these problems are difficult to achieve by traditionally encryption schemes. Homomorphic encryption technology is a good choice to solve all these problems [2, 3].

FHE permits a worker to perform arbitrarily complex programs on encrypted data without knowing the secret key [4]. And FHE has been the focus of extensive study [513], since the first candidate scheme was introduced by Gentry [14]. But its efficiency needs to be greatly improved.

Since bootstrapping technology is the essential technology to obtain a “pure” FHE at present. Meanwhile, it is also the main bottleneck in any practical implementation due to the complexity homomorphic decryption. It is very meaningful to improve the efficiency of bootstrapping, which mainly refers to fast low-circuit implementation of decryption function. Without loss of generality, the decryption function for LWE- (Learning with Errors-) based FHE can be computed by evaluating some linear operation between ciphertext and secret key, then reducing the result modulo a big odd modulus and then reducing the result modulo a small modulus , to get the plaintext , namely, . For the decryption function, the modular-reduction operation of () affects the depth of decryption circuit most.

The past few years have seen an intensive study of bootstrapping technique. In the original bootstrapping technique of Gentry [14], he put forward an idea of “squash the decryption circuit” to transform modular-reduction operation into summing operation. This got a moderate polynomial runtime. By proposed an amortized bootstrapping method, Brakerski, Gentry, and Vaikuntanathan (BGV) reduced the runtime to [10]. However, these results applied only to “non-packed” ciphertexts (i.e., ones that encrypt just one bit each).

Gentry, Halevi, and Smart (GHS, PKC2012) reached a major milestone of a bootstrapping algorithm concentrating on the BGV ring-LWE-based scheme (ideal lattice-based FHE) [15]. They proposed a simpler decryption formula. This is done by choosing a prime plaintext modulus and a ciphertext modulus close to a power of . Besides, they utilized packed ciphertexts and Fourier Transform to aid efficiency. To improve the Fourier Transform step of [15], [16] presented a ring/field switching technique. This obtained an asymptotically efficient bootstrapping method for BGV style SHE scheme. Orsini, Pol, and Smart (PKC15) proposed a bootstrapping BGV ciphertexts with a wider choice of and , but their decryption formula was not simple as GHS’s work. Halevi and Shoup (HS, EUROCRYPT 15) generalized the plaintext modulus in [17] to more general situations and got a better efficiency by improving the bit-extraction way. This is asymptotically optimal space and time so far.

In another line of work, [1822] present a bootstrapping technique for the GSW-FHE [13] scheme. They get significant progress in improving the bootstrapping technique on standard lattice-based FHE. And their progress mainly relies on the characteristic that noise in ciphertexts of GSW-FHE grows asymmetrically. Since compared with standard LWE-based FHE schemes, ring-LWE-based FHE schemes always have more efficient homomorphic operations. And among all the ring-LWE-based FHE schemes, BGV ring-LWE-based FHE scheme is optimal (note that GSW-FHE scheme is better than BGV-FHE scheme only in standard LWE-based FHE schemes). Note that, in this paper, the aim is to provide practical FHE scheme for the privacy protection of IoT. Thus, it concentrates on improving the bootstrapping technique of BGV ring-LWE-based FHE schemes in this paper.

The starting point of this paper is the HS’s work [17], where decryption procedure consists of a linear algebra step and a modular reduction step . When and , modular reduction step can be converted to simple bit operations. This greatly reduces the circuit depth of modular reduction. When homomorphically performed above simple decryption formula, the deepest part is homomorphic bit-extraction procedure, and its complexity (both time and depth) increases with the most-significant extracted bit. In [17], by adding to ciphertext multiples of and also multiples of , they proposed a lower-degree homomorphic bit-extraction procedure. And the bigger the parameter range of for the simple formula of modular reduction, the better the performance for the improved homomorphic bit-extraction procedure. See [17] for further details.

Contributions. In this paper, we optimize the parameters of bootstrapping algorithm proposed in EUROCRYPT 2015 by Halevi and Shoup. Firstly, by introducing a definition of load capacity, we optimize the parameters range for which their bootstrapping technique works for the first time. Next we generalize their ciphertext modulus to more general situations. This makes our method applicable to more cases. Moreover, we also show how to introduce SIMD technique into our new method, to improve the efficiency of bootstrapping technique.

Organization. Section 2 presents the notations and some background on the BGV cryptosystem. Section 3 optimizes the parameter range for which bootstrapping technique of Halevi and Shoup works. Next, the ciphertext modulus is generalized from closing to a power of two to more general situations in Section 4. Moreover, it also shows how to introduce SIMD homomorphic computation techniques into the new method to get an efficient bootstrapping method. And in Section 5, an implementation is made of BGV ring-LWE-based scheme based on our efficient bootstrapping method. Finally, Section 6 concludes.

2. Preliminaries

Basic Notations. Set , and the notation is referred to as mod , with coefficients being reduced into the range . For an integer (positive or negative), we consider the base- representation of and denote its digits by .

2.1. Homomorphic Encryption Schemes

Let be the message space and be the ciphertext space. A homomorphic encryption scheme is as follows:(i): output public key , secret key , and evaluation key .(ii): output ciphertext encrypted by plaintext with public key .(iii): recover the message encrypted in the ciphertext by secret key .(iv): output ciphertext which is obtained by applying evaluation key and the function to .

Suppose that and are two key-pairs of scheme . Let be a ciphertext of plaintext under . Let be a ciphertext of the -th bit of the first secret key under the second public key . is a decryption circuit. See Algorithm 1 for the “Bootstrapping” algorithm.

Input:, ,,
Output:
tep 1. where is the -bit of
tep 2.

It can be found that only when scheme can compactly evaluate its decryption circuit. However, most of the existing schemes do not satisfy this condition naturally. It needs some extra operations, such as “squashing the decryption circuit”, which cause the low efficiency of FHE. Thus, it is very meaningful for lower-depth circuit implementation of decryption function.

3. Analysis of HS Recryption Procedure

We start by introducing the HS recryption procedure [17] on that how to homomorphically compute the modular-reduction operation in a lower-depth circuit. The specifics are in Lemma 1.

Lemma 1 (see [17]). Let , , and be integers, and also let be an integer such that and .(i)If is odd then .(ii)If then .

Lemma 1 transforms complex modular operations into simple bit operation, to get a lower-depth circuit of decryption function. But it is still not easy to execute a homomorphic bit-extraction operation. Next, [17] proposed a fast bit-extraction procedure. As stated in the former introduction, the performance of fast bit-extraction procedure is dependent on the parameter range of in Lemma 1. That is, the bigger parameter range of , the better performance of fast bit-extraction procedure. Thus, next we analyse whether the parameter range of in Lemma 1 is optimal. In order to do so, we introduce a new concept called “load capacity”.

Definition 2 (load capacity). Let , . Suppose the formula of modular reduction converted to simple bit operations works when , and . Then the load capacity is defined by the product of two span lengths of and , namely, .

Next Theorem 3 presents the general relationship between the value and for the formula of modular reduction converted to simple bit operations.

Theorem 3. Let , , and be integers, and also let be an integer such that , and let . Then(i)if is odd then ;(ii)if then .

Proof. It starts with the odd- case. Let and with . ThenSince , we can get thatBesides, sincethenAnd since , thenThus, combined with formula (2), we can get thatwhere and are mod- representation. Then it follows that The proof for the case is similar. The details can be referred to in the proof of [17]. It is omitted here.

Next we discuss how to choose the value of in order to obtain the maximum “load capacity”. Load capacity is denoted by , then Let , then . The concrete relations are as shown in Figure 2

It can be easily seen from Figure 2 that the load capacity takes the maximum value when . That is, the load capacity for HS work is only related to the span length, not to the value of and . Then Corollary 4 presents the optimal choice of and for the formula of modular reduction converted to simple bit operations.

Corollary 4. Let , , , and be integers, and also let be an integer such that , and .(i)If is odd then .(ii)If then .The conclusion is obvious; the proof is omitted here.

Note that, when , namely, , it is the same as HS’s work. But, the load capacity of this paper is bigger than that of HS’s work, since of ours has a bigger span length, namely, . The details are present in Table 1.


Schemeload capacity

HS’ work [17]
Our work ()

As seen from Table 1, compared to HS’ work, it can be seen that our scheme has a better load capacity. Note that, while on the surface, it appears to obtain a tiny improvement in a nondominant term, i.e., where the load capacity of the choice in HS is , this is improved to , it is actually a meaningful job when you carefully analyse the principle of the trick of the fast bit-extraction procedure in [17]. That is, add to the coefficients of multiples of and , making them divisible by for some without increasing them too much and also without increasing the noise too much. This means that bit-extraction can be implemented using only polynomials of degree at most , smaller than . Since the load capacity of this paper is bigger than that of HS’s work, it means our work allows adding more multiples of and to the coefficients of . That is, bit-extraction can be implemented using polynomials of lower degree to get a faster implementation. Besides, our variant of HS is more flexible and general on parameters.

4. Generalize Modulus to More General Situations

In this section, it extends HS recryption procedure to have a wider choice of ciphertext modulus. The specifics are in Theorem 5.

Theorem 5. Let , , , and with and , , , also let be an integer such that , andThen,(i)if is odd then ,(ii)if then , where “”refers to scalar multiplication.

Proof. We begin with the odd- case. Let and with . ThenSince , we can get thatBesides, sincethenAnd since , thenThus, combined with formula (11), we can get that Thus,The proof for the case is similar. We omit it here.

Next we discuss how to choose the value of in order to obtain the maximum “load capacity”. Load capacity is denoted by , then Let , then

It is easy to get that takes the maximum value whenThat is, the load capacity is also only related to the span length, not to the value of and .

Then Corollary 6 presents the optimal choice of and for the formula of modular reduction converted to simple bit operations.

Corollary 6. Let , , and with and , , , also let be an integer such that , andThen(i)if is odd then ;(ii)if then . The conclusion is obvious; the proof is omitted here.

To get a homomorphic implementation of the simple decryption formula from above, firstly a homomorphic bit-extraction procedure (Algorithm 2) is presented, which is slightly varied from the bit-extraction procedure of [17].

Input: Modulus , and a ciphertext c encrypting a constant relative to secret key s and modulus
Output: A ciphertext encrypting the bit operation relative to secret key s and modulus
1. Set // encrypt w.r.t. s
2. For to
3.Set // is an accumulator
4.For to //Compute
5.Set //Homomorphic exponentiation to the power
6.Set
7. Set // encrypts
8. Output

uses native homomorphic multiplication to multiply by itself times. To aid exposition, this code assumes that the modulus and secret key remain fixed; otherwise modulus-switching and key-switching should be added (and the level should be increased correspondingly to some ).

Then Algorithm 3 shows how to combine our optimized “bootstrapping” techniques with the SIMD homomorphic computation techniques of Smart-Vercauteren [23], to get a bootstrapping method that works in time quasilinear in the security parameter.

tep 1. The user first post-processes the -secret-key by encrypting as a -ciphertext
with respect to the -secret-key , namely the user has
where
with small coefficients.
tep 2. The server computes homomorphically. Specifically, the server compute the mod-
inner product homomorphically by setting
tep 3. Apply a homomorphic inverse-DFT transformation to convert to CRT-based “packed”
ciphertexts that hold the coefficients of in their plaintext slots.
tep 4. Apply the bit extraction procedure to all these slots in parallel. The result is encryption of
polynomials that have the coefficients of in their plaintext slots.
tep 5. Apply a homomorphic DFT transformation to get back a ciphertext that encrypts the
polynomial itself.

5. Implementation and Performance

In this section, an implementation of BGV ring-LWE-based scheme is made, since it offers nearly the most efficient homomorphic operations. This scheme is defined over a ring , where is the th cyclotomic polynomial. Let be a prime or a prime power, and . Specifically, assume , where each has the same degree , which is equal to the order of modulo . Then, by the Chinese Remainder Theorem, it has the isomorphism . Besides, suppose is the -secret-key, where is an integer polynomial with small coefficients. is the -secret-key. is the -ciphertext.

First, several groups are chosen which satisfy . For each triple , a test is run separately based on our work and HS’ work. These tests were run on a four-year-old IBM System x3850 server, with two 64-bit 4-core Intel Xeon E5450 processors, and 35MB L2 cache and 32GB of RAM at 3.0 GHz. And the implementation was mainly based on Shoup’s NTL library [23] version 9.10.0 and GNU’s GMP library [24]. The former is used for high-level numeric algorithms, and the latter is used for the underlying integer arithmetic operations. Besides, the code was compiled using the gcc compiler (version 4.9.1). Table 2 summarizes the results from our experiments based on our work and HS’.


cyclotomic ring plaintext spacenumber of slotssecurity leveltotal recrypt (sec)space usage (GB)
Our workHS’ workOur workHS’ work

102476971722.33.0
7201101682352.63.2
10001061475203711.213.8
1296161984146131.736.4

The first column gives cyclotomic ring m and its factorization into prime powers. The second column gives the plaintext space, i.e., the field/ring that is embedded in each slot. The third column gives the number of slots packed into a single ciphertext. The fourth column gives the effective security level, computed using the formula that is used in HElib taken from [15, Eqn. ]. The total recrypt gives the total time for a single recryption, while the previous two rows give a breakdown of that time (note that the time for the linear transforms includes some trivial preprocessing time, as well as the less trivial unpacking/repacking time). The last two rows give the memory used (in gigabytes).

As seen from Table 2, compared to HS’ work, it can be easy seen that the variant of HS has advantages both in efficiency and in storage space. Besides the variant of HS is more flexible and general on parameters. This enables our method to be applied in a larger number of situations.

6. Conclusions

Up to now, Gentry’s bootstrapping technique is still the only known method of obtaining a “pure” FHE scheme. Meanwhile it is also the key for the low efficiency of FHE scheme. It is very meaningful to improve the efficiency of bootstrapping, which mainly refers to lower-depth circuit implementation of decryption function. In this paper, it improves the “load capacity” of HS’s work with a better efficiency for bootstrapping and to generalize to more general situations in a similar simple way. This enables our method to be applied in a larger number of situations, such as privacy protection of IoT.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work was sponsored in part by the National Natural Science Foundation of China (Grants nos. 61272041, 61202491, 61272488, and 61601515) and was also supported by the Foundation of Science and Technology on Information Assurance Laboratory (no. KJ-15-006).

References

  1. A. Botta, W. de Donato, V. Persico, and A. Pescapé, “Integration of cloud computing and internet of things: a survey,” Future Generation Computer Systems, vol. 56, pp. 684–700, 2016. View at: Publisher Site | Google Scholar
  2. Y. Zhang, X. Chen, J. Li, D. S. Wong, H. Li, and I. You, “Ensuring attribute privacy protection and fast decryption for outsourced data security in mobile cloud computing,” Information Sciences, vol. 379, pp. 42–61, 2017. View at: Publisher Site | Google Scholar
  3. W.-T. Song, B. Hu, and X.-F. Zhao, “Optimizing LWE-based FHE for better security and privacy protection of smart city,” Journal of Information Science and Engineering, vol. 33, no. 4, pp. 939–952, 2017. View at: Google Scholar | MathSciNet
  4. R. L. Rivest, L. Adleman, and M. L. Dertouzos, “On data banks and pri-vacy homomorphisms,” Foundations of Secure Computation, vol. 4, no. 11, pp. 169–180, 1978. View at: Google Scholar
  5. M. van Dijk, C. Gentry, S. Halevi et al., “Fully homomorphic encryption over the integers,” in Proceedings of the 29th International Conference on The-ory and Application of Cryptographic Techniques, pp. 24–43, Springer, Berlin, Germany, 2010. View at: Google Scholar
  6. N. P. Smart and F. Vercauteren, “Fully homomorphic encryption with relatively small key and ciphertext sizes,” in Proceedings of the 13th International Con-ference on Pronctice and Theory in Public Key Cryptography, pp. 420–443, Springer, Berlin: Germany, 2010. View at: Google Scholar
  7. J.-S. Coron, T. Lepoint, and M. Tibouchi, “Scale-invariant fully homomorphic encryption over the integers,” in Proceedings of the 17th Interna-tional Conference on Practice and Theory in Public Key Cryptography, vol. 8383 of Lecture Notes in Computer Science, pp. 311–328, Springer, Berlin, Germany, 2014. View at: Google Scholar
  8. Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic en-cryption from (standard) LWE,” in Proceedings of the 52nd Annual Symposium on Foundations of Computer Science, pp. 97–106, IEEE Computer Society, Washington, Wash, USA, 2011. View at: Google Scholar
  9. Z. Brakerski and V. Vaikuntanathan, “Fully homomorphic encryption from ring-LWE and security for key dependent messages,” in Proceedings of the 31st Annual Conference on Advances in Cryptology, pp. 505–524, Springer, Berlin, Germany, 2011. View at: Google Scholar
  10. Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “(Leveled) fully ho-momorphic encryption without bootstrapping,” in Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, Optimizing GSW-FHE and Private Information Retrieval 21, pp. 309–325, ACM Press, New York, NY, USA. View at: Google Scholar
  11. Z. Brakerski, “Fully homomorphic encryption without modulus switching from classical GapSVP,” in Proceedings of the 32nd Cryptology Conference, pp. 868–886, Springer, Berlin, Germany, 2012. View at: Google Scholar
  12. C. Gentry, S. Halevi, C. Peikert et al., “Ring switching in {BGV}-style homomorphic encryption,” in Proceedings of the 8th International Security and Cryptography for Networks, pp. 19–37, Springer, Berlin, Germany, 2012. View at: Google Scholar
  13. C. Gentry, A. Sahai, and B. Waters, “Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attrib-ute-based,” in Proceedings of the 33rd Annual Cryptology Conference, pp. 75–92, Springer, Berlin, Germany, 2013. View at: Google Scholar
  14. C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proceedings of the 41st Annual ACM Symposium on Theory of Computing, pp. 169–178, ACM Press, New York, NY, USA, 2009. View at: Google Scholar
  15. C. Gentry, S. Halevi, and N. P. Smart, “Better bootstrapping in fully ho-momorphic encryption,” in Proceedings of the 15th International Conference on Practice and Theory in Public Key Cryptography, pp. 1–16, Springer, Berlin, Germany, 2012. View at: Google Scholar
  16. J. Alperin-Sheriff and C. Peikert, “Practical bootstrapping in quasilinear time,” in Proceedings of the 33rd Annual Cryptology Conference, pp. 1–20, 2013. View at: Google Scholar
  17. S. Halevi and V. Shoup, “Bootstrapping for helib,” in Eurocrypt, pp. 641–670, 2015. View at: Google Scholar
  18. Z. Brakerski and V. Vaikuntanathan, “Lattice-based FHE as secure as PKE,” in ITCS, pp. 1–8, 2014. View at: Google Scholar
  19. J. Alperin-Sheriff and C. Peikert, Faster Bootstrapping with Polyno-mial Error, vol. 8616 of Lecture Notes in Computer Science, 2014.
  20. R. Hiromasa, M. Abe, and T. Okamoto, “Packing Messages and Optimiz-ing Boot-strapping in GSW-FHE,” in Public-Key Cryptography-PKC, pp. 699–715, Springer, Heidelberg, Berlin, Germany, 2015. View at: Google Scholar
  21. L. Ducas and D. Micciancio, “FHEW: Bootstrapping homomorphic encryption in less than a second,” in Eurocrypt, pp. 617–640, 2015. View at: Google Scholar
  22. I. Chillotti, N. Gama, M. Georgieva, and M. Izabachène, Faster Fully Homomorphic Encryption: Bootstrapping in less than 0.1 seconds.
  23. V. Shoup, NTL: A Library for doing Number Theory, 2016, http://shoup.net/ntl/.
  24. “The GNU Multiple Precision Arithmetic Library,” 2016, http://gmplib.org/. View at: Google Scholar

Copyright © 2018 Wei-Tao Song et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

1016 Views | 365 Downloads | 4 Citations
 PDF  Download Citation  Citation
 Download other formatsMore
 Order printed copiesOrder