Fully Homomorphic Encryption for Secure Computations in Protected Database

Outsourced computations and, more particularly, cloud computations, are widespread nowadays. That is why the problem of keeping the data security arises. Multiple fully homomorphic cryptosystems were proposed in order to perform secret computations in untrusted environments. But most of the existent solutions are practically inapplicable as they require huge computation resources and produce big (∼1Gb) keys and ciphertexts. Therefore, we propose the undemanding fully homomorphic scheme with practically acceptable (∼few Kb) keys and output data. Our solution uses modular arithmetic in order to avoid the increase in data size. We have validated our approach through the implementation of the proposed cryptosystem. The details of used algorithms and the results of security evaluation are covered in this paper.


I. INTRODUCTION
N OWADAYS Information Technologies and, particularly, computations over various data are the important part of our living and business processes.Modern trend to outsource computations to third-parties has aroused a problem of keeping the security of one's data.Cloud computing and other cases of giving the access to the personal data are affected by threat of exposing vulnerable data to unauthorized parties.Using a fully homomorphic encryption (FHE) scheme in secure computations helps to avoid the data leakage.
Originally a conception of FHE was introduced by Rivest, Adleman and Dertouzous in their paper [5].Since people wanted to be able to perform the computations over the encrypted data, the problem of privacy homomorphism became very actual one in cryptography at whole.The first attempt of proposing FHE scheme belongs to Gentry [1].After publication of the scheme's idea he introduced the implementation of his algorithm in conjunction with Halevi [2].Then a lot of improvements of Gentry's work were proposed.But all of them were criticized as they required significant computing resources due to the usage of complex mathematical tools and produced big sizes of keys and output data [6].
Most of the proposed encryptions suffer from inefficiency to the practical use; therefore the problem of computations security is still actual [4].That is why our ultimate goal for FHE developing is researching for the previously not used but efficient mathematical technics to make practical implementation.As a result, we introduce a new fully homomorphic This research was performed in Novosibirsk State University under support of the Ministry of education and science of Russia (contract no.02.G25.310054)scheme that doesn't require massive computation resources and provide acceptable sizes of encryption keys and output values.
The next section of this paper features the mathematical bases of our approach as it gives some fundamental definitions.Section 3 describes the properties of computations over encrypted data.After it, in Section 4, we show the core components of the proposed fully homomorphic encryption cryptosystem.Section 5 covers the evaluation of our scheme's security.Then, Section 6 discusses possible applications of the developed homomorphic encryption including the implemented one and summarizes our achievements.

II. MATHEMATICAL FOUNDATION
This section gives essential mathematical bases.Let us discuss what a fully homomorphic cryptosystem means.Formally, such a scheme allows performing computation over the encrypted data without their decryption.In other words, an encryption algorithm E and a decryption D should satisfy the following conditions: where c 1 , c 2 are the ciphertexts and f is an arbitrary, efficiently computed function.In order to avoid the increase in data size we use modular arithmetic in our approach.Thus, the main idea of the proposed solution is as follows: we have a set of relatively prime numbers (m 1 , m 2 , . . ., m k ).The plaintext P we associate with the set P = (P 1 , P 2 , . . ., P k ) where P i = P mod m i , i = 1, . . ., k.This set is encrypted with proposed algorithm that will be described in details in the following section.The approach has the only constraint: the result of all the mathematical operations can't exceed the number Firstly we consider the simplified algorithm for the ring Z m and the modulus m only.To encrypt P we select a secret vector x = (x 1 , . . ., x n ), x i ∈ Z m .Then we construct a vector a = (a 1 , . . ., a n ), a i ∈ Z m as follows: (a, x) = P mod m It is worth noting that in general every number m can be represented as m = p α1 1 • . . .•p αs s , where p 1 , . . ., p s are prime numbers.Thus, it is enough to make all the necessary steps of the algorithm for the power of prime number only, or, in the simplest case, only for the prime number.
So, let m be a prime number.Now we will describe some mathematical details of the proposed approach.
The scalar product can be considered as a linear function: Thus, a linear function is completely determined by the vector u.
The secret point is defined as a vector x = (x 1 , . . ., x n ).Thereby, to represent the number P , we must construct a vector v ∈ Z n m as follows: This task belongs to the standard linear algebra and can be easily solved.Thus, v is called a ciphertext for P .

III. COMPUTATIONS OVER ENCRYPTED DATA
As it was previously mentioned, the proposed encryption allows performing the computations over ciphertexts.

A. Addition
Addition of vectors is equivalent to addition of their components with given modulus m according to the properties of the scalar product and the modular arithmetic.So, if we have representations for two numbers P 1 and P 2 : and in general the sum of the simple linear functions is defined as: Let us note that addition keeps the size of vectors.That means the resulting vector has the same length as the initial ciphers.

B. Multiplication
Multiplication of vectors v and u in common way leads to the increase in the result's length almost n times: In order to prevent vectors' length growth, we define a specific kind of multiplication.Let the secret vector satisfy the following condition: Also generally, the result of two vectors' multiplication can be written as: One can see that the right part of the expression is a quadratic function.Let us associate this function with the linear one according to rule: This function can be represented as (w, x) and the components of vector w can be defined using the components of initial vectors v and u as follows: In other words, we describe the specific kind of vectors' multiplication.According to (1), ( 2): Let us call the rule (3) the multiplication table and γ ijkthe structural constants.
Such a determination of multiplication table is similar to the definition of algebra.But there is an important difference: the structural constants have no constraints such as commutativity, associativity and presence of "unit".
In order to avoid the evident question whether we can find the structural constants that satisfy (1) for every secret vector or not, let us indicate the method of its construction.Let us represent the structural constants as a set of vectors: Thus, rewritten (1) looks as follows: 126 POSITION PAPERS OF THE FEDCSIS.Ł ÓD Ź, 2015 If we consider (4) as a set of linear equations with a given left part x i x j and n 3 variables γ ijk , these unknown variables are found ambiguous for every equation due to its non-trivial kernel.
The problem is the fact that in order to produce the real computations we need to disclose the structural constants.It is unobvious whether it is possible in this case to determine the secret vector with given constants.This question is equivalent to the question whether we can find a solution of the following system (if the coefficients γ ijk are given): On the one hand, it is considered that solving the equation ( 2) in a finite field is a difficult task.But on the other hand, the system (5) consists of n 2 equations in reference to n variables, i.e. highly overdetermined.For highly overdetermined systems of equations it is expected that the solution is unique.There is one more argument to justify the complexity of the problem: the prime number is a secret, therefore, it is still unknown what modulus should used in order to solve the system.
Thus, let us prove the following.Theorem 3.1: The secret vector x = (x 1 , . . ., x n ) and the structural constants γ ijk can be selected so that the system of equations ( 5) has at least n solutions.
In order to prove this theorem, let us give the construction of such a set of the structural constants.Let S be an arbitrary n × n matrix with the only constraint -it should be invertible by given modulus m.Then, choose two arbitrary columns of the matrix with i and j indexes (i and j may be the same).These columns match with two vectors -s i and s j respectively.
As it was mentioned, componentwise multiplication of the vectors u = (u 1 , . . ., u n ) and v = (v 1 , . . ., v n ) is defined by the following rule: Let us define vector γ ij as a solution of the equation According to the invertibility of the matrix S, the solution can be rewritten: All the columns of the matrix S satisfy the equation ( 5), where the structural constants are obtained as it is described above.As matrix S has n rows, we finally get n different solutions of the equation (5).
Remark 3.1: This construction is appropriate for any finite fields.
Remark 3.2: Since n different secret vectors correspond to the same set of structural constants, we can produce n secure computations simultaneously.

IV. PROPOSED CRYPTOSYSTEM
In this section we consider the description of the proposed encryption that is based on modular arithmetic.

A. Basics
Firstly, let original message P be an integer number -we impose the only constraint: P < M, M ∼ 2 64 in order to perform all the computations correctly.Then, let us define the encryption's secret key as a triple (mods, α, x), where for generating secret vectors x; • x = (x 1 , . . ., x k ) -a set of k vectors with length n.Thus, to encrypt P we should represent it as a set of residues (P 1 , . . ., P k ) : P i = P mod m i and after that construct a vector c i for every P i such that it satisfies the following condition:

B. Multiplication table
Before presenting the essence of the proposed encryption algorithm, let us describe the special multiplication table T = (γ ijk ) introduced in the previous section.Matrix T is used for the computations over ciphertexts in order to avoid the increase in the data lengths.We can work with the only multiplication table for all the moduli, but also we can generate k different tables for k different moduli.Let us consider this method for the chosen modulus m i and fix the index i for all used terms; so then, we work simply with modulus m.
In order to generate such a table we need matrix S described in Section 2. Thus, computing the constants γ ijk for every couple of i and j we get the specific multiplication table T = (γ ijk ) for the fixed modulus m = m i .
Let us note one more feature of the multiplication table.If we construct matrix T as a non-symmetric matrix, we will get different results while computing (a i • a j ) • a k and a j • (a i • a k ).It means that the operation of multiplication has no associative and commutative properties.Also this fact invokes a nondeterministic character of the proposed encryption scheme.

C. Cryptosystem
Our fully homomorphic cryptosystem consists of three algorithms (KeyGen, Enc, Dec), where • KeyGen -the probabilistic key generation algorithm that constructs the key; • Enc -the encryption algorithm that takes initial message P , mods -a part of the secret key and the multiplication tables T as the input parameters and returns a ciphertext C; • Dec -the decryption algorithm that uses the secret key and the ciphertext C, returns the original message P .
DARYA CHECHULINA, KIRILL SHATILOV, SERGEY KRENDELEV: FULLY HOMOMORPHIC ENCRYPTION 1) Key Generation: As it was previously mentioned, the encryption key is secret and consists of the set of the relatively prime moduli and two sets of vectors.Let us consider the way of key generation in details.
Step 1.Let S be an arbitrary n × n matrix with non-zero determinant det(S).Then we choose k relatively prime moduli (m 1 , . . ., m k ) with a condition: gcd(m, det(S)) = 1.It is necessary in order to provide the invertibility of S by each modulus.Thus, matrix S for each modulus will be computed as follows: Step 2. Then we should construct an arbitrary vector α = (α i1 , . . ., α in ) associated with modulus m i using a rule: This rule means that every element of vector α ij is invertible by chosen modulus m i .
Besides we should provide the existence of at least two relatively prime elements in vector α i in order to solve diophantine equations in the Enc algorithm.
A set of vectors α i is also a part of the secret key.
Step 3. At the last step of key generation we compute x i from the equation: Due to the fact that matrix S i is invertible by modulus m i : x i = (S −1 i α i ) mod m i ∀m i Therefore, after key generation process we have k moduli (m 1 , . . ., m k ) and the set of k secret vectors x = (x 1 , . . ., x n ) constructed using the set of α i .It is worth noting that the generation method is probabilistic due to the arbitrariness of S and α i selection.
2) Encryption: The input parameters for this algorithm are the original message P -an integer number that satisfies the following constraint: P < M, M ∼ 2 64 , the secret key and the set of multiplication tables (T 1 , . . ., T k ).
Step 1.Let us start with the computing the set (P 1 , . . ., P k ) as follows: Step 2. Using vectors of the secret key (α 1 , . . ., α k ), consider the equation: Then compute the set of y i as a result of the diophantine equation.Let us describe the way of solving such an equation in details.Due to the existence of two relatively prime components in every vector α i the solution of this equation can be found as follows: let the position of two coprime integers be r and s, then choose random values for the coefficients y iq : q = 1, . . ., n, q = r, q = s and substitute them into the equation (6).Thus, we get a linear diophantine equation with only two variables: The equation ( 7) can be solved, because the coefficients α ir and α is are relatively prime.Therefore, the values of the components y ir and y is can be computed using the Euclidean algorithm.Also we can use the multiplication table T i in order to solute such an equation.In this case we should only substitute x i x j in the formula (5) with P i .
Step 3. Compute a cipher C = (c 1 , . . ., c k ) using the following rule: The result of the encryption algorithm is the ciphertext C that consists of k vectors of length n : (c 1 , . . ., c k ).Thus, cipher C is a k × n matrix.
3) Decryption: The algorithm's input parameters are the ciphertext C, described previously, and the secret key.
Step 1. Compute a set (P 1 , . . ., P k ) as follows: Let us prove the correctness of the equation ( 8) using previously given formulas of the encryption algorithm and the properties of the standard linear algebra: Step 2. As we have the set of P i , apply the Chinese remainder theorem [3] and get the original integer number P that satisfies the next condition: Let us consider the modification of the algorithm that provides the probabilistic character of the encryption in order to improve its security.Let C be a ciphertext for the initial number P .First of all, we compute a ciphertext corresponding to zero -C 0 , then multiply it by an arbitrary coefficient θ.After that we add the result θ • C 0 to the ciphertext C: Then C ′ is called a new ciphertext for the number P .As our encryption is fully homomorphic we may be sure the ciphertext C ′ is appropriate for P .So, to get the original message P , we should decrypt C ′ only.Thus, the proposed modification improves the complexity of the encryption algorithm.Such a modification is considered as a primary encryption algorithm.Its security evaluation will be discussed in the following section.
To conclude, in this section the details of the proposed fully homomorphic scheme were given.Briefly, let us mention the main features of this scheme again.The secret key is a triple (mods, α, x).We decided to perform all of the secure computations using modular arithmetic in order to avoid growth of the integers' size.Also the specific kind of vectors' multiplication that allows performing arithmetical operations over ciphertexts without the increase in the resulting vectors' length was proposed.Then the probabilistic modification of our FHE scheme was described.

V. ENCRYPTION SECURITY EVALUATION
In order to analyze the complexity of the proposed FHE scheme, we provide some information about its efficiency: is the complexity of key generation algorithm; • O(n 3 ) is the complexity of multiplication table generation process; In previous section it was mentioned that we might consider the proposed fully homomorphic encryption as a probabilistic one.The probabilistic encryption algorithm means that we get different ciphertexts if we encrypt the same plaintext more than once.Obviously such a modification prevents our scheme from common attacks, i.e. chosen ciphertext or plaintext attacks.

VI. FHE APPLICATIONS
The proposed homomorphic encryption can be used in a multiple applications due to its practical allowance and acceptable data overhead.It's main purpose -as it was stated previously -to perform mathematical operations over encrypted data in untrusted and non-interactive environments without access to the encryption keys or initial data.So, the proposed solution can be practically used in the following cases of the secure computations.

A. Computation in Database
Databases and cloud databases, as a special case of cloud services, are affected by the same problem of keeping data confidentiality.Such a problem arises when a does not trust a database provider and/or an administrator or is not sure about security of connection between end user machine and database server [13].Analogically, Fully Homomorphic and Order Preserving encryptions (OPE) can be applied to solve problem of keeping confidentiality of database entries.Properties of FHE and OPE allow users to perform any kind of computations (of course, with corresponding limitations) inside DBMS and the end user should decrypt only the result of selected data.Such an approach was implemented in MIT CryptoDB [14] and was positively acclaimed by the academy and the industry.
Alternatively we designed and developed a solution for secure Database [15].We use proprietary developed OPE [16], proposed in this article FHE and strong deterministic encryptions.Main idea of our approach to secure database is to intercept user SQL queries on a flexibly configurable proxy server, encrypt vulnerable user's data and change the syntax of queries according to encryption's output ciphertext.Responses from DBMS are decrypted in a proper way and displayed to the user.The feature of granular security allows different encryptions to be applied to different columns in SQL table and perfectly accommodates user's requirements.Combination of implemented encryptions with carefully designed secure database architecture allowed us to achieve significantly low overhead of data flow and SQL queries' execution time.Estimated average overhead is around 20%.
This project allowed us to validate developed homomorphic encryption and to show its practical acceptance.Thus, we can perform secure computations over ecrypted data directly in protected database due to the properties of FHE.That is why such an application is primary for the proposed fully homomorphic encryption.

B. Cloud Computation
Cloud technologies are very popular and wide spread nowadays.Although customers of cloud services are very excited by cloud features and benefits that cloud has brought to enterprises, they are very concerned about security, particularity confidentiality, of data stored and processed in a cloud [7].Those concerns are caused by several security issues of cloud technology in common, such as insider threat [8], possible security breach [9], intervention of special services into citizens privacy [10] and any other case of unauthorized access to vulnerable user data.There are multiple solutions [11][12] to described problem and one of them is usage of encryptions.Using homomorphic encryption or order preserving encryptions will allow business users to perform variety of operations over data stored in cloud data centers without necessity of massive computations on customers' side.Such a scenario will possibly lower expenses, while ensuring confidentiality of customer's data.

C. Constructing Public-Key Cryptosystem
Firstly we consider the application of fully homomorphic encryption for constructing linear and polynomial public-key cryptosystems.It is worth to note that we use the simplified method of the proposed encryption with fixed parameters: k = 1, n = 4.It means that we have the only modulus m and the only secret vector x.
The linear one is based on the Hill cipher [20].In common way Hill cipher matches an original vector p to a ciphertext c according to the rule: c = A • p mod m, where a square matrix A and a modulus m are secret.Besides, the matrix A should be invertible by the modulus m in order to provide the correctness of the decryption process.It is obvious that such a method is vulnerable to the plaintext attack.That is why the main idea of our approach is to hide the secret matrix A using the proposed FHE for its encryption.Also we encrypt the initial message with fully homomorphic algorithm E. Then we get a ciphertext, a result of public-key encryption, according to the rule: c = E(A) • E(p) mod m.
The second, polynomial, cryptosystem is based on the analogue of the well-known RSA algorithm [19] where the modulus m is secret.Unfortunately this construction is unstable, but we can modify it using our fully homomorphic encryption.Thus, we propose to encrypt original number with the FHE algorithm E and after that raise the result of encryption to the power: E(p) e mod m.
Let us consider the details of the polinomial cryptosystem via some examples.
1) Keys generation: Secret key consists of the components of the proposed homomorphic encryption's key: The size of secret and public keys is 2.5 Kb for the chosen parameters k and n.
2) Encryption: The initial number is an integer p = 123.The first step of the algorithm is to encrypt p using our fully homomorphic encryption.In other words, we should match p with a vector c that satisfies the following condition: (c, x) mod m = p.Finally we get the initial number p = 123.Implementation of these cryptosystems demonstrates that all of the arithmetical calculations over encrypted data are correct.Also it proves that the multiplication of ciphertexts doesn't lead to the increase in dimension of multiplication results.This is the illustration of first practical use of the proposed FHE scheme.