Homomorphic encryption

Homomorphic encryption is a form of encryption with an additional evaluation capability for computing over encrypted data without access to the secret key. The result of such a computation remains encrypted. Homomorphic encryption can be viewed as an extension of either symmetric-key or public-key cryptography. Homomorphic refers to homomorphism in algebra: the encryption and decryption functions can be thought of as homomorphisms between plaintext and ciphertext spaces.

Homomorphic encryption includes multiple types of encryption schemes that can perform different classes of computations over encrypted data.[1] Some common types of homomorphic encryption are partially homomorphic, somewhat homomorphic, leveled fully homomorphic, and fully homomorphic encryption. The computations are represented as either Boolean or arithmetic circuits. Partially homomorphic encryption encompasses schemes that support the evaluation of circuits consisting of only one type of gate, e.g., addition or multiplication. Somewhat homomorphic encryption schemes can evaluate two types of gates, but only for a subset of circuits. Leveled fully homomorphic encryption supports the evaluation of arbitrary circuits of bounded (pre-determined) depth. Fully homomorphic encryption (FHE) allows the evaluation of arbitrary circuits of unbounded depth, and is the strongest notion of homomorphic encryption. For the majority of homomorphic encryption schemes, the multiplicative depth of circuits is the main practical limitation in performing computations over encrypted data.

Homomorphic encryption schemes are inherently malleable. In terms of malleability, homomorphic encryption schemes have weaker security properties than non-homomorphic schemes.

Homomorphic encryption schemes have been developed using different approaches. Specifically, fully homomorphic encryption schemes are often grouped into generations corresponding to the underlying approach.[2]

In the following examples, the notation ${\displaystyle {\mathcal {E}}(x)}$ is used to denote the encryption of the message ${\displaystyle x}$.

Unpadded RSA

If the RSA public key has modulus ${\displaystyle n}$ and encryption exponent ${\displaystyle e}$, then the encryption of a message ${\displaystyle m}$ is given by ${\displaystyle {\mathcal {E}}(m)=m^{e}\;{\bmod {\;}}n}$. The homomorphic property is then

${\displaystyle {\begin{aligned}{\mathcal {E}}(m_{1})\cdot {\mathcal {E}}(m_{2})&=m_{1}^{e}m_{2}^{e}\;{\bmod {\;}}n\\[6pt]&=(m_{1}m_{2})^{e}\;{\bmod {\;}}n\\[6pt]&={\mathcal {E}}(m_{1}\cdot m_{2})\end{aligned}}}$

ElGamal

In the ElGamal cryptosystem, in a cyclic group ${\displaystyle G}$ of order ${\displaystyle q}$ with generator ${\displaystyle g}$, if the public key is ${\displaystyle (G,q,g,h)}$, where ${\displaystyle h=g^{x}}$, and ${\displaystyle x}$ is the secret key, then the encryption of a message ${\displaystyle m}$ is ${\displaystyle {\mathcal {E}}(m)=(g^{r},m\cdot h^{r})}$, for some random ${\displaystyle r\in \{0,\ldots ,q-1\}}$. The homomorphic property is then

${\displaystyle {\begin{aligned}{\mathcal {E}}(m_{1})\cdot {\mathcal {E}}(m_{2})&=(g^{r_{1}},m_{1}\cdot h^{r_{1}})(g^{r_{2}},m_{2}\cdot h^{r_{2}})\\[6pt]&=(g^{r_{1}+r_{2}},(m_{1}\cdot m_{2})h^{r_{1}+r_{2}})\\[6pt]&={\mathcal {E}}(m_{1}\cdot m_{2}).\end{aligned}}}$

Goldwasser–Micali

In the Goldwasser–Micali cryptosystem, if the public key is the modulus ${\displaystyle n}$ and quadratic non-residue ${\displaystyle x}$, then the encryption of a bit ${\displaystyle b}$ is ${\displaystyle {\mathcal {E}}(b)=x^{b}r^{2}\;{\bmod {\;}}n}$, for some random ${\displaystyle r\in \{0,\ldots ,n-1\}}$. The homomorphic property is then

${\displaystyle {\begin{aligned}{\mathcal {E}}(b_{1})\cdot {\mathcal {E}}(b_{2})&=x^{b_{1}}r_{1}^{2}x^{b_{2}}r_{2}^{2}\;{\bmod {\;}}n\\[6pt]&=x^{b_{1}+b_{2}}(r_{1}r_{2})^{2}\;{\bmod {\;}}n\\[6pt]&={\mathcal {E}}(b_{1}\oplus b_{2}).\end{aligned}}}$

where ${\displaystyle \oplus }$ denotes addition modulo 2, (i.e. exclusive-or).

Benaloh

In the Benaloh cryptosystem, if the public key is the modulus ${\displaystyle n}$ and the base ${\displaystyle g}$ with a blocksize of ${\displaystyle c}$, then the encryption of a message ${\displaystyle m}$ is ${\displaystyle {\mathcal {E}}(m)=g^{m}r^{c}\;{\bmod {\;}}n}$, for some random ${\displaystyle r\in \{0,\ldots ,n-1\}}$. The homomorphic property is then

${\displaystyle {\begin{aligned}{\mathcal {E}}(m_{1})\cdot {\mathcal {E}}(m_{2})&=(g^{m_{1}}r_{1}^{c})(g^{m_{2}}r_{2}^{c})\;{\bmod {\;}}n\\[6pt]&=g^{m_{1}+m_{2}}(r_{1}r_{2})^{c}\;{\bmod {\;}}n\\[6pt]&={\mathcal {E}}(m_{1}+m_{2}).\end{aligned}}}$

Paillier

In the Paillier cryptosystem, if the public key is the modulus ${\displaystyle n}$ and the base ${\displaystyle g}$, then the encryption of a message ${\displaystyle m}$ is ${\displaystyle {\mathcal {E}}(m)=g^{m}r^{n}\;{\bmod {\;}}n^{2}}$, for some random ${\displaystyle r\in \{0,\ldots ,n-1\}}$. The homomorphic property is then

${\displaystyle {\begin{aligned}{\mathcal {E}}(m_{1})\cdot {\mathcal {E}}(m_{2})&=(g^{m_{1}}r_{1}^{n})(g^{m_{2}}r_{2}^{n})\;{\bmod {\;}}n^{2}\\[6pt]&=g^{m_{1}+m_{2}}(r_{1}r_{2})^{n}\;{\bmod {\;}}n^{2}\\[6pt]&={\mathcal {E}}(m_{1}+m_{2}).\end{aligned}}}$

Other partially homomorphic cryptosystems

• Okamoto–Uchiyama cryptosystem
• Naccache–Stern cryptosystem
• Damgård–Jurik cryptosystem
• Sander–Young–Yung encryption scheme
• Boneh–Goh–Nissim cryptosystem
• Ishai–Paskin cryptosystem
• Castagnos–Laguillaumie cryptosystem[36]

A cryptosystem that supports arbitrary computation on ciphertexts is known as fully homomorphic encryption (FHE). Such a scheme enables the construction of programs for any desirable functionality, which can be run on encrypted inputs to produce an encryption of the result. Since such a program need never decrypt its inputs, it can be run by an untrusted party without revealing its inputs and internal state. Fully homomorphic cryptosystems have great practical implications in the outsourcing of private computations, for instance, in the context of cloud computing.[37]

• Homomorphic secret sharing
• Homomorphic signatures for network coding
• Private biometrics
• Verifiable computing using a fully homomorphic scheme
• Client-side encryption
• Secure multi-party computation
• Format-preserving encryption
• Polymorphic code
• Private set intersection

• Daniele Micciancio's FHE references
• Vinod Vaikuntanathan's FHE references
• "Alice and Bob in Cipherspace". American Scientist. September 2012. Retrieved 2018-05-08.
• HElib, open-source homomorphic encryption library
• Microsoft SEAL, open-source homomorphic encryption library by Microsoft
• PALISADE, open-source lattice cryptography framework
• HEAAN, open-source homomorphic encryption library
• FHEW, open-source homomorphic encryption library
• TFHE, open-source homomorphic encryption library