Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and A Fast Implementation in WebAssembly
1. Efficient Two-level Homomorphic
Encryption in Prime-order Bilinear
Groups and A Fast Implementation in
WebAssembly
Nuttapong Attrapadung*1, Goichiro Hanaoka*1,
Shigeo Mitsunari*2, Yusuke Sakai*1, Kana Shimizu*3,
Tadanori Teruya*1
*1 AIST, *2 Cybozu labs, *3 Waseda Univ.
Partially supported by JST CREST JPMJCR1688
2018/06/08 AsiaCCS 2018 1
2. Our result
• Efficient two-level homomorphic encryption
• Many times add. and one-time mult. on encrypted data
• Based on Type 3 (asymmetric) pairing
• Combine the lifted-ElGamal encryption scheme
• Faster than Freeman’s scheme (EUROCRYPT 2010)
• High-performance implementation
• C++/asm/WebAssembly
• https://github.com/herumi/mcl
• https://github.com/herumi/she-wasm
• Open source: BSD 3-clause
2018/06/08 AsiaCCS 2018 2
3. Benchmarks
• Calculation times in msec
• BN254 (𝔾1: 256 bits, around 100-bit security)
• Uses lookup tables for decryption (20-bit plaintext)
2018/06/08 AsiaCCS 2018 3
Native (x64) JavaScritpt with wasm
x64 Linux on
Core i7-7700
Firefox on
Core i7-7700
Safari on
iPhone 7
Enc 𝔾1
0.018 0.3 0.96
Enc 𝔾2
0.048 0.82 1.72
Add 𝔾1
0.00062 0.016 0.016
Add 𝔾2
0.002 0.036 0.048
Mult 1.17 15.6 24.3
Dec2 0.66 7.8 12.6
4. Comparison of Size
• Fre10: Freemen’s scheme (EUROCRYPT 2010)
• Compare bit size on a 462-bit Barreto-Naehrig
(BN) curve
2018/06/08 AsiaCCS 2018 4
5. Comparison of Time
• CT: Ciphertext
• Fre10: Freemen’s scheme in EUROCRYPT 2010
• Compare calculation time on a 462-bit BN curve
2018/06/08 AsiaCCS 2018 5
8. Computing on encrypted data
• Data analysis with taking care of sensitive data
• Homomorphic Encryption (HE)
• Allows computation on encrypted data
• Many applications related to privacy-preserving
schemes
• Types of HE
• Additively HE
(ex. Okamoto-Uchiyama, Paillier, Lifted-ElGamal)
• Enc 𝑚 + Enc 𝑚′ = Enc(𝑚 + 𝑚′)
• Multiplicatively HE (ex. RSA, ElGamal)
• Enc 𝑚 × Enc 𝑚′ = Enc 𝑚𝑚′
• Fully HE (ex. Gentry, BGV, BV, GSW, …)
• Can do homomorphic add. and mult.
2018/06/08 AsiaCCS 2018 8
9. Pros and Cons
• Add. HE, Mult. HE
• Applications are restricted
• Fully HE (FHE)
• Any computations possible, but inefficient
• Security relies on less standard assumptions
• Leveled HE
• The number of homomorphic mult. is restricted.
• An intermediate notion between Add. HE and FHE.
2018/06/08 AsiaCCS 2018 9
Add. HE Leveled HE FHE
Efficiency very good medium bad
Functionality medium good very good
11. Previous two-level HE
• Boneh, Goh, Nissim (TCC 2005)
• Based on Composite-order pairings, hence much less efficient
• Freeman (EUROCRYPTO 2010)
• Composite-to-prime-order transformation framework, applied to
BGN
• Herold, Hesse, Hofheinz, Rafols, Rupp (CRYPTO 2014)
• Improving Freeman’s frameworks
• Only Type 1 pairings, inefficient
• Catalano, Fiore (ACM CCS 2015)
• Transformation from d-Level HE to (2d)-level
• Instantiations are not necessarily efficient
• Memo
• Decryption in all these schemes requires discrete log (DL)
• Hence plaintext space should be sufficiently small (up to 30-bit)
2018/06/08 AsiaCCS 2018 11
13. Our proposal
• Combine lifted-ElGamal encryption scheme with
Type 3 pairings
• Level-1 (L1) ciphertext (CT) is same as lifted-ElGamal
• Format of level-2 (L2) CT is same as Freeman’s scheme
• Note: Type 3 pairings
• Cyclic groups 𝔾1, 𝔾2, 𝔾 𝑇 of order prime 𝑝 with
bilinear map 𝑒: 𝔾1 × 𝔾2 → 𝔾T
• 𝑒 𝑎𝑃, 𝑏𝑄 = 𝑒 𝑃, 𝑄 𝑎𝑏 for 𝑎, 𝑏 ∈ ℤ 𝑝, 𝑃 ∈ 𝔾1, 𝑄 ∈ 𝔾2
• 𝔾1 ≠ 𝔾2 and no efficient map from 𝔾1 to 𝔾2
2018/06/08 AsiaCCS 2018 13
14. Setup and Key generation
• Setup
• Elliptic curve group 𝔾𝑖 = ⟨𝑃𝑖⟩ with prime order 𝑝 for
𝑖 = 1, 2
• 𝔾T = 𝑔T , where 𝑔T = 𝑒 𝑃1, 𝑃2
• Key generation
• Secret key 𝑠1, 𝑠2 ∈ ℤ 𝑝 is generated at random
• Public key 𝑠1 𝑃1, 𝑠2 𝑃2,
(and optional precomputation 𝑧1 = 𝑔T, 𝑧2 = 𝑔T
𝑠1, 𝑧3 =
𝑔T
𝑠2, 𝑧4 = 𝑔T
𝑠1 𝑠2)
• Note: Colors
• Green: Public part
• Blue: Secret and hidden part
2018/06/08 AsiaCCS 2018 14
15. Level-1 CT and Enc./Dec.
• Encrypt
• Plaintext 𝑚 with randomness 𝑟
• Enc 𝔾 𝑖
𝑚 = (𝑚𝑃𝑖 + 𝑟𝑠𝑖 𝑃𝑖, 𝑟𝑃𝑖) for 𝑖 = 1, 2
• Duplicated form:
Enc1 𝑚 ≔ Enc 𝔾1
𝑚 , Enc 𝔾2
𝑚
• Decrypt
• For 𝑖 = 1, 2, decrypt Enc 𝔾 𝑖
𝑚 = (𝑆, 𝑇) by
𝑆 − 𝑠𝑖 𝑇 = 𝑚𝑃𝑖 + 𝑟𝑠𝑖 𝑃𝑖 − 𝑠𝑖 𝑟𝑃𝑖 = 𝑚𝑃𝑖
and then, to obtain 𝑚, solve DL
• Almost same as lifted-ElGamal
2018/06/08 AsiaCCS 2018 15
20. Proving the knowledge of plaintexts
• ZK protocols can be applied to ours
• While dedicated construction is needed for the
schemes of Freeman’s and others
• Because lifted-ElGamal based construction
• Example 1: Duplicated form of L1 CT
• Dup. L1 CT is Enc 𝔾1
𝑚 , Enc 𝔾2
𝑚′
• Attach a proof of “𝑚 = 𝑚′”
• Example 2: Proving a CT encrypts a bit
• Attach a proof of “encrypted plaintext is 0 or 1”
• Applications: Voting, two-party computation
2018/06/08 AsiaCCS 2018 20
25. Our Implementation
• Available in “mcl”: A library for pairings
• C++: https://github.com/herumi/mcl
• web browser/Node.js:
https://github.com/herumi/she-wasm
• Optimized for x64/ARM64
• WebAssembly (wasm)
• Runs on Microsoft Edge, Firefox, Chrome, Safari
without any plug-ins
• Demo: https://herumi.github.io/she-wasm/she-
demo.html
• Open source: BSD 3-clause
2018/06/08 AsiaCCS 2018 25
26. (Again) Benchmarks
• Calculation times in msec
• BN254 (𝔾1: 256 bits, around 100-bit security)
• Uses lookup tables for decryption (20-bit plaintext)
2018/06/08 AsiaCCS 2018 26
Native (x64) JavaScritpt with wasm
x64 Linux on
Core i7-7700
Firefox on
Core i7-7700
Safari on
iPhone 7
Enc 𝔾1
0.018 0.3 0.96
Enc 𝔾2
0.048 0.82 1.72
Add 𝔾1
0.00062 0.016 0.016
Add 𝔾2
0.002 0.036 0.048
Mult 1.17 15.6 24.3
Dec2 0.66 7.8 12.6
27. Demonstration of wasm
• Let’s moving on to demo!
https://herumi.github.io/she-wasm/she-
demo.html
2018/06/08 AsiaCCS 2018 27
28. Conclusion
• We proposed efficient two-level HE
• Combine the lifted-ElGamal encryption on Type 3
pairings
• L1 CTs have a exactly same form as lifted-ElGamal
• Our high-performance implementation
• C++/asm/WebAssembly
• Optimized for x64/ARM64
• Supports Win/Mac/Linux/web browsers
• Available under open source license:
https://github.com/herumi/mcl,
https://github.com/herumi/she-wasm
2018/06/08 AsiaCCS 2018 28
Thank you!