ASIACCS2018 http://asiaccs2018.org/?page_id=632

1. Efficient Two-level Homomorphic
Encryption in Prime-order Bilinear
Groups and A Fast Implementation in
WebAssembly
Nuttapong Attrapadung*1, Goichiro Hanaoka*1,
Shigeo Mitsunari*2, Yusuke Sakai*1, Kana Shimizu*3,
Tadanori Teruya*1
*1 AIST, *2 Cybozu labs, *3 Waseda Univ.
Partially supported by JST CREST JPMJCR1688
2018/06/08 AsiaCCS 2018 1

2. Our result
• Efficient two-level homomorphic encryption
• Many times add. and one-time mult. on encrypted data
• Based on Type 3 (asymmetric) pairing
• Combine the lifted-ElGamal encryption scheme
• Faster than Freeman’s scheme (EUROCRYPT 2010)
• High-performance implementation
• C++/asm/WebAssembly
• https://github.com/herumi/mcl
• https://github.com/herumi/she-wasm
• Open source: BSD 3-clause
2018/06/08 AsiaCCS 2018 2

3. Benchmarks
• Calculation times in msec
• BN254 (𝔾1: 256 bits, around 100-bit security)
• Uses lookup tables for decryption (20-bit plaintext)
2018/06/08 AsiaCCS 2018 3
Native (x64) JavaScritpt with wasm
x64 Linux on
Core i7-7700
Firefox on
Core i7-7700
Safari on
iPhone 7
Enc 𝔾1
0.018 0.3 0.96
Enc 𝔾2
0.048 0.82 1.72
Add 𝔾1
0.00062 0.016 0.016
Add 𝔾2
0.002 0.036 0.048
Mult 1.17 15.6 24.3
Dec2 0.66 7.8 12.6

4. Comparison of Size
• Fre10: Freemen’s scheme (EUROCRYPT 2010)
• Compare bit size on a 462-bit Barreto-Naehrig
(BN) curve
2018/06/08 AsiaCCS 2018 4

5. Comparison of Time
• CT: Ciphertext
• Fre10: Freemen’s scheme in EUROCRYPT 2010
• Compare calculation time on a 462-bit BN curve
2018/06/08 AsiaCCS 2018 5

6. Outline
• Background
• Our proposed two-level homomorphic encryption
• Security
• Implementation
• Conclusion
2018/06/08 AsiaCCS 2018 6

7. Background
2018/06/08 AsiaCCS 2018 7

8. Computing on encrypted data
• Data analysis with taking care of sensitive data
• Homomorphic Encryption (HE)
• Allows computation on encrypted data
• Many applications related to privacy-preserving
schemes
• Types of HE
• Additively HE
(ex. Okamoto-Uchiyama, Paillier, Lifted-ElGamal)
• Enc 𝑚 + Enc 𝑚′ = Enc(𝑚 + 𝑚′)
• Multiplicatively HE (ex. RSA, ElGamal)
• Enc 𝑚 × Enc 𝑚′ = Enc 𝑚𝑚′
• Fully HE (ex. Gentry, BGV, BV, GSW, …)
• Can do homomorphic add. and mult.
2018/06/08 AsiaCCS 2018 8

9. Pros and Cons
• Add. HE, Mult. HE
• Applications are restricted
• Fully HE (FHE)
• Any computations possible, but inefficient
• Security relies on less standard assumptions
• Leveled HE
• The number of homomorphic mult. is restricted.
• An intermediate notion between Add. HE and FHE.
2018/06/08 AsiaCCS 2018 9
Add. HE Leveled HE FHE
Efficiency very good medium bad
Functionality medium good very good

10. Two-level HE
• HE that allows one homomorphic multiplication
• Allows degree-2 polynomial homomorphic evaluations
• Allows inner product of two vectors
• 𝑥 = 𝑥1, 𝑥2, … , 𝑦 = 𝑦1, 𝑦2, …
• σ𝑖 Enc1 𝑥𝑖 × Enc1 𝑦𝑖 = Enc2 σ𝑖 𝑥𝑖 × 𝑦𝑖
2018/06/08 AsiaCCS 2018 10
×1 2
3
3 4
12
12 13
25
++
: Level-1 : Level-2

11. Previous two-level HE
• Boneh, Goh, Nissim (TCC 2005)
• Based on Composite-order pairings, hence much less efficient
• Freeman (EUROCRYPTO 2010)
• Composite-to-prime-order transformation framework, applied to
BGN
• Herold, Hesse, Hofheinz, Rafols, Rupp (CRYPTO 2014)
• Improving Freeman’s frameworks
• Only Type 1 pairings, inefficient
• Catalano, Fiore (ACM CCS 2015)
• Transformation from d-Level HE to (2d)-level
• Instantiations are not necessarily efficient
• Memo
• Decryption in all these schemes requires discrete log (DL)
• Hence plaintext space should be sufficiently small (up to 30-bit)
2018/06/08 AsiaCCS 2018 11

12. Our proposed
two-level HE
2018/06/08 AsiaCCS 2018 12

13. Our proposal
• Combine lifted-ElGamal encryption scheme with
Type 3 pairings
• Level-1 (L1) ciphertext (CT) is same as lifted-ElGamal
• Format of level-2 (L2) CT is same as Freeman’s scheme
• Note: Type 3 pairings
• Cyclic groups 𝔾1, 𝔾2, 𝔾 𝑇 of order prime 𝑝 with
bilinear map 𝑒: 𝔾1 × 𝔾2 → 𝔾T
• 𝑒 𝑎𝑃, 𝑏𝑄 = 𝑒 𝑃, 𝑄 𝑎𝑏 for 𝑎, 𝑏 ∈ ℤ 𝑝, 𝑃 ∈ 𝔾1, 𝑄 ∈ 𝔾2
• 𝔾1 ≠ 𝔾2 and no efficient map from 𝔾1 to 𝔾2
2018/06/08 AsiaCCS 2018 13

14. Setup and Key generation
• Setup
• Elliptic curve group 𝔾𝑖 = ⟨𝑃𝑖⟩ with prime order 𝑝 for
𝑖 = 1, 2
• 𝔾T = 𝑔T , where 𝑔T = 𝑒 𝑃1, 𝑃2
• Key generation
• Secret key 𝑠1, 𝑠2 ∈ ℤ 𝑝 is generated at random
• Public key 𝑠1 𝑃1, 𝑠2 𝑃2,
(and optional precomputation 𝑧1 = 𝑔T, 𝑧2 = 𝑔T
𝑠1, 𝑧3 =
𝑔T
𝑠2, 𝑧4 = 𝑔T
𝑠1 𝑠2)
• Note: Colors
• Green: Public part
• Blue: Secret and hidden part
2018/06/08 AsiaCCS 2018 14

15. Level-1 CT and Enc./Dec.
• Encrypt
• Plaintext 𝑚 with randomness 𝑟
• Enc 𝔾 𝑖
𝑚 = (𝑚𝑃𝑖 + 𝑟𝑠𝑖 𝑃𝑖, 𝑟𝑃𝑖) for 𝑖 = 1, 2
• Duplicated form:
Enc1 𝑚 ≔ Enc 𝔾1
𝑚 , Enc 𝔾2
𝑚
• Decrypt
• For 𝑖 = 1, 2, decrypt Enc 𝔾 𝑖
𝑚 = (𝑆, 𝑇) by
𝑆 − 𝑠𝑖 𝑇 = 𝑚𝑃𝑖 + 𝑟𝑠𝑖 𝑃𝑖 − 𝑠𝑖 𝑟𝑃𝑖 = 𝑚𝑃𝑖
and then, to obtain 𝑚, solve DL
• Almost same as lifted-ElGamal
2018/06/08 AsiaCCS 2018 15

16. Homomorphic addition on L1 CT
• For 𝑖 = 1, 2,
Enc 𝔾 𝑖
𝑚1 + Enc 𝔾 𝑖
𝑚2
= 𝑚1 𝑃𝑖 + 𝑟1 𝑠𝑖 𝑃𝑖, 𝑟1 𝑃𝑖 + 𝑚2 𝑃𝑖 + 𝑟2 𝑠𝑖 𝑃𝑖, 𝑟2 𝑃𝑖
= 𝑚1 + 𝑚2 𝑃𝑖 + 𝑟1 + 𝑟2 𝑠𝑖 𝑃𝑖, 𝑟1 + 𝑟2 𝑃𝑖
= Enc 𝔾 𝑖
(𝑚1 + 𝑚2)
• Also, almost same as lifted-ElGamal
• Scalar multiplication of ciphertext is easy
𝑛𝐸𝑛𝑐 𝔾 𝑖
𝑚
= (𝑛𝑚𝑖 𝑃𝑖 + (𝑛𝑟)𝑠𝑖 𝑃𝑖, (𝑛𝑟)𝑃𝑖))
2018/06/08 AsiaCCS 2018 16
1 2
3
+
: Level-1

17. Homomorphic multiplication
• 𝐶1 × 𝐶2 ≔ 𝑒 𝑆1, 𝑆2 , 𝑒 𝑆1, 𝑇2 , 𝑒 𝑇1, 𝑆2 , 𝑒 𝑇1, 𝑇2
= 𝑧1
𝑚1 𝑚2 𝑧4
𝜏′, 𝑧2
𝜎′, 𝑧3
𝜌′, 𝑧1
𝜎′+𝜌′−𝜏′ ∈ 𝔾T
4
• 𝐶1 = 𝑆1, 𝑇1 = 𝑚1 𝑃1 + 𝑟1 𝑠1 𝑃1, 𝑟1 𝑃1 = Enc 𝔾1
𝑚1 ∈ 𝔾1
2
• 𝐶2 = 𝑆2, 𝑇2 = 𝑚2 𝑃2 + 𝑟2 𝑠2 𝑃2, 𝑟2 𝑃2 = Enc 𝔾2
𝑚2 ∈ 𝔾2
2
• 𝑧1 = 𝑔T, 𝑧2 = 𝑔T
𝑠1, 𝑧3 = 𝑔T
𝑠2, 𝑧4 = 𝑔T
𝑠1 𝑠2
• Tensor product of 𝐶1, 𝐶2
• Its result is level-2 ciphertext
2018/06/08 AsiaCCS 2018 17
×3 4
12
: Level-1
: Level-2

18. Homomorphic addition on L2 CT
• Enc2 𝑚1 + Enc2 𝑚2
= 𝑧1
𝑚1 𝑧4
𝜏1, 𝑧2
𝜎1, 𝑧3
𝜌1, 𝑧1
𝜎1+𝜌1−𝜏1
+ 𝑧1
𝑚2 𝑧4
𝜏2, 𝑧2
𝜎2, 𝑧3
𝜌2, 𝑧1
𝜎2+𝜌2−𝜏2
= ( 𝑧1
𝑚1+𝑚2 𝑧4
𝜏1+𝜏2, 𝑧2
𝜎1+𝜎2,
൯𝑧3
𝜌1+𝜌2, 𝑧1
(𝜎1+𝜎2)+(𝜌1+𝜌2)−(𝜏1+𝜏2)
2018/06/08 AsiaCCS 2018 18
12 13
25
+
: Level-2

19. Decryption for level-2 CT
• Decrypting an level-2 ciphertext 𝑐1, 𝑐2, 𝑐3, 𝑐4
Dec2 c1, c2, 𝑐3, 𝑐4 ≔
𝑐1 𝑐4
𝑠1 𝑠2
𝑐2
𝑠2
𝑐3
𝑠1
=
𝑒 𝑆1, 𝑆2 𝑒 𝑠1 𝑇1, 𝑠2 𝑇2
𝑒 𝑆1, 𝑠2 𝑇2 𝑒 𝑠1 𝑇1, 𝑆2
= 𝑒 𝑆1 − 𝑠1 𝑇1, 𝑆2 − 𝑠2 𝑇2
= 𝑒 𝑚𝑃1 , 𝑚′ 𝑃2 = 𝑒 𝑃1, 𝑃2
𝑚𝑚′
then solve DLP to obtain 𝑚𝑚′
• Note: 𝑐1, 𝑐2, 𝑐3, 𝑐4 =
𝑧1
𝑚𝑚′ 𝑧4
𝜏, 𝑧2
𝜎, 𝑧3
𝜌, 𝑧1
𝜎+𝜌−𝜏 ∈ 𝔾T
4
,
where 𝑧1 = 𝑔T, 𝑧2 = 𝑔T
𝑠1, 𝑧3 = 𝑔T
𝑠2, 𝑧4 = 𝑔T
𝑠1 𝑠2
2018/06/08 AsiaCCS 2018 19

20. Proving the knowledge of plaintexts
• ZK protocols can be applied to ours
• While dedicated construction is needed for the
schemes of Freeman’s and others
• Because lifted-ElGamal based construction
• Example 1: Duplicated form of L1 CT
• Dup. L1 CT is Enc 𝔾1
𝑚 , Enc 𝔾2
𝑚′
• Attach a proof of “𝑚 = 𝑚′”
• Example 2: Proving a CT encrypts a bit
• Attach a proof of “encrypted plaintext is 0 or 1”
• Applications: Voting, two-party computation
2018/06/08 AsiaCCS 2018 20

21. Security
2018/06/08 AsiaCCS 2018 21

22. Confidentiality
• Our scheme is IND-CPA secure under the SXDH
assumption
• Standard security level
• See the proceedings for the proof
• Note: SXDH (Symmetric eXternal Diffie-Hellman)
assumption
• 𝑃1 ∈ 𝔾1, 𝑃2 ∈ 𝔾2, for random 𝛼, 𝛽, 𝛾,
𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛼𝛽𝑃1 ≈ 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛾𝑃1 and
𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛼𝛽𝑃2 ≈ 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛾𝑃2
2018/06/08 AsiaCCS 2018 22

23. Circuit privacy
• Circuit private if ReRand𝑖 𝑐 ≈ Enc𝑖(Dec𝑖 𝑐 )
• Rerandomization: ReRand𝑖 𝑐 ≔ 𝑐 + Enc𝑖(0)
• ReRand𝑖 𝑐 removes a trace of circuit from 𝑐
• See the proceedings for the proof
• Note: Sometimes, arithmetic circuit depends on
secret
• E.g., for 𝑖 = 1, 2,
𝑛 × Enc𝑖 𝑚 = ෍
𝑗=1
𝑛
Enc𝑖 𝑚 = Enc𝑖 𝑛𝑚
• Should be Enc𝑖 𝑚 + Enc𝑖 𝑚′ ≈ Enc𝑖 𝑚 + 𝑚′ and
Enc1 𝑚 × Enc1 𝑚′ ≈ Enc2 𝑚𝑚′
• Note: It is obvious that CTs are in which group
𝔾1, 𝔾2, 𝔾T
2018/06/08 AsiaCCS 2018 23

24. Implementation
2018/06/08 AsiaCCS 2018 24

25. Our Implementation
• Available in “mcl”: A library for pairings
• C++: https://github.com/herumi/mcl
• web browser/Node.js:
https://github.com/herumi/she-wasm
• Optimized for x64/ARM64
• WebAssembly (wasm)
• Runs on Microsoft Edge, Firefox, Chrome, Safari
without any plug-ins
• Demo: https://herumi.github.io/she-wasm/she-
demo.html
• Open source: BSD 3-clause
2018/06/08 AsiaCCS 2018 25

26. (Again) Benchmarks
• Calculation times in msec
• BN254 (𝔾1: 256 bits, around 100-bit security)
• Uses lookup tables for decryption (20-bit plaintext)
2018/06/08 AsiaCCS 2018 26
Native (x64) JavaScritpt with wasm
x64 Linux on
Core i7-7700
Firefox on
Core i7-7700
Safari on
iPhone 7
Enc 𝔾1
0.018 0.3 0.96
Enc 𝔾2
0.048 0.82 1.72
Add 𝔾1
0.00062 0.016 0.016
Add 𝔾2
0.002 0.036 0.048
Mult 1.17 15.6 24.3
Dec2 0.66 7.8 12.6

27. Demonstration of wasm
• Let’s moving on to demo!
https://herumi.github.io/she-wasm/she-
demo.html
2018/06/08 AsiaCCS 2018 27

28. Conclusion
• We proposed efficient two-level HE
• Combine the lifted-ElGamal encryption on Type 3
pairings
• L1 CTs have a exactly same form as lifted-ElGamal
• Our high-performance implementation
• C++/asm/WebAssembly
• Optimized for x64/ARM64
• Supports Win/Mac/Linux/web browsers
• Available under open source license:
https://github.com/herumi/mcl,
https://github.com/herumi/she-wasm
2018/06/08 AsiaCCS 2018 28
Thank you!