Homomorphic encryption

From Wikipedia, the free encyclopedia

Homomorphic Encryption is a form of encryption where one can perform a specific algebraic operation on the plaintext by performing a (possibly different) algebraic operation on the ciphertext. Depending on one's viewpoint, this can be seen as a positive or negative attribute of the cryptosystem. Homomorphic encryption schemes are malleable by design and are thus unsuited for secure data transmission. On the other hand, the homomorphic property of various cryptosystems can be used to create secure voting systems (pdf), collision-resistant hash functions and private information retrieval schemes.

There are several efficient Homomorphic cryptosystems:

Contents

[edit] Examples

In the following examples, we use the notation \mathcal{E}(x) to denote the encryption of the message x.

[edit] Unpadded RSA

If the public key is m,e, then the encryption of a message x is given by \mathcal{E}(x) = x^e \mod m. Then we have the homomorphic property

\mathcal{E}(x_1) \cdot \mathcal{E}(x_2) = x_1^e x_2^e \mod m = (x_1x_2)^e \mod m = \mathcal{E}(x_1 \cdot x_2 \mod m)

[edit] El Gamal

If the public key is p,g,h=ga, and a is the secret key, then the encryption of a message x is \mathcal{E}(x) = (g^r,x\cdot h^r). Then we have the homomorphic property

\mathcal{E}(x_1) \cdot \mathcal{E}(x_2) = (g^{r_1},x_1\cdot h^{r_1})(g^{r_2},x_2 \cdot h^{r_2}) = (g^{r_1+r_2},(x_1\cdot x_2) h^{r_1+r_2}) = \mathcal{E}(x_1 \cdot x_2 \mod p)

[edit] Goldwasser-Micali

If the public key is the modulus m, and quadratic non-residue x, then the encryption of a bit b is \mathcal{E}(b) = r^2 x^b \mod m. Then we have the homomorphic property

\mathcal{E}(b_1)\cdot \mathcal{E}(b_2) = r_1^2 x^{b_1} r_2^2 x^{b_2} = (r_1r_2)^2 x^{b_1+b_2} = \mathcal{E}(b_1 \oplus b_2)

where \oplus denotes addition modulo 2, (i.e. exclusive-or).

[edit] Benaloh

If the public key is the modulus m, the base g and the blocksize r, then the encryption of a message x is g^x u^r \mod m. Then we have the homomorphic property

\mathcal{E}(x_1) \cdot \mathcal{E}(x_2) = (g^{x_1} u_1^r)(g^{x_2} u_2^r) = g^{x_1+x_2} (u_1u_2)^r = \mathcal{E}(x_1 + x_2 \mod \phi(m)/r )

[edit] Paillier

If the public key is the modulus m and the base g, then the encryption of a message x is \mathcal{E}(x) = g^x r^m \mod m^2. Then we have the homomorphic property

\mathcal{E}(x_1) \cdot \mathcal{E}(x_2) = (g^{x_1} r_1^m)(g^{x_2} r_2^m) = g^{x_1+x_2} (r_1r_2)^m = \mathcal{E}( x_1 + x_2 \mod m)

[edit] Open question

While these examples allow one-to-one group operation on plaintexts (either addition or multiplication in these examples), no one has created a cryptosystem which preserves the ring structure of the plaintexts, i.e. allows both addition and multiplication. The best result in this direction is the Boneh-Goh-Nissim cryptosystem which, through operations on the cipthertext, allows addition of plaintext followed by a single multiplication followed by an arbitrary number of additions. This allows evaluation of polynomials of degree 2 on the plaintext through operations on the ciphertext. The system is only practical when the space of plaintexts is relatively small.

[edit] References