Fully Enhanced Homomorphic Encryption algorithm of MORE approach for real world applications

ARTICLE IN PRESS

JID: JISA

[m5G;February 20, 2017;12:18]

Journal of Information Security and Applications 0 0 0 (2017) 1–10

Contents lists available at ScienceDirect

Journal of Information Security and Applications journal homepage: www.elsevier.com/locate/jisa

Fully Enhanced Homomorphic Encryption algorithm of MORE approach for real world applications Khalil Hariss∗, Hassan Noura, Abed Ellatif Samhat Faculty of Engineering-CRSI, Lebanese University, Hadath Campus, Hadath, Lebanon

a r t i c l e

i n f o

Article history: Available online xxx Keywords: Fully Homomorphic Encryption scheme MORE Dynamic diffusion and permutation primitives Security analysis

a b s t r a c t The design of a Homomorphic Encryption (HE) algorithm that allows computation over the encrypted data is required in real world modern applications to preserve the privacy. Such applications include Cloud Computing, shared storage, processing resources, etc. The existing solutions are not practical for real world applications. Asymmetric approaches suffer from high computation overhead, while symmetric approaches suffer from low immunity against attacks such as chosen and known plaintext attack. In this paper, we consider symmetric approaches and we focus on Matrix Operation for Randomization and Encryption (MORE) approach to build a new algorithm overcoming the drawbacks of MORE. The proposed algorithm is explained in details and evaluated. The security performance results show that the proposed approach can prevent the strong attacks without degradation of the system performances in term of latency and energy consumption. © 2017 Elsevier Ltd. All rights reserved.

1. Introduction Encryption is one of the most common techniques used for preserving users data privacy, but sometimes users are enforced to reveal their secret encryption keys to some parties for processing operations over their sensitive data. Homomorphic Encryption (HE) is new cryptographic research topic that was introduced to help users in preserving their data confidentiality and privacy by allowing untrusted parties to process computations over encrypted data. HE becomes an important need in real world modern applications such as Cloud Computing, Data aggregation in wireless sensor network scenario, Electronic Voting, Spam filters, etc. In such applications, HE will allow the creation of new techniques capable to run over encrypted inputs to produce encrypted outputs without knowing any information about the primitive data, once they are used by untrusted parties. Thus users privacy is guaranteed. Several homomorphic ideas have been introduced in the literature. A state of art of the existing HE algorithms is given in [1–3]. RSA explained in [4] is the first HE Cryptosystem. Gentry examined also a Fully Homomorphic Encryption (FHE) in [5,6] based on ideal lattices. DGHV another FHE was presented by Van Dijk et al. in [7].

∗

Corresponding author. E-mail addresses: [email protected] (K. Hariss), [email protected] (H. Noura), [email protected] (A.E. Samhat).

The MORE (Matrix Operation for Randomization and Encryption) and the PORE (Polynomial Operation for Randomization and Encryption) two FHE algorithms based on linear transformations are explained in [8–10], and Josepeh Domingo Ferrer also talked in [11,12] about a FHE approach based on polynomial calculations. Two additive HE schemes Iterated Hill Cipher (IHC) and Modified Rivest Scheme (MRS) are presented in [13,14]. The implementation of the Homomorphic Pallier cryptosystem in a cloud scenario is given in [15]. All the existing algorithms are not efficient for real world applications due to computational complexity such as asymmetric ones like Gentry [5,6], DGHV [7]. Symmetric ones such as MORE [9] and PORE [10] are introduced with an encryption process satisfying the homomorphic properties. However they encounter some drawbacks including the storage overhead and the weakness against chosen/known plaintext attack. To understand the concept of HE, we define C to be a circuit that performs a certain operation (querying, downloading a file from the INTERNET, comparing two values, adding two values, etc.). Any circuit C can be written as a Boolean function and any Boolean function can be written as a polynomial form. We know that any polynomial form is merely a set of addition and multiplication operations. A scheme is defined to be Fully Homomorphic Encryption (FHE) scheme if it satisfies the two following basic properties of addition and multiplication:

[EncK (x1 ) + EncK (x2 )]modN = [EncK ([x1 + x2 ] modN )]mod (N ) (1)

http://dx.doi.org/10.1016/j.jisa.2017.02.001 2214-2126/© 2017 Elsevier Ltd. All rights reserved.

Please cite this article as: K. Hariss et al., Fully Enhanced Homomorphic Encryption algorithm of MORE approach for real world applications, Journal of Information Security and Applications (2017), http://dx.doi.org/10.1016/j.jisa.2017.02.001

ARTICLE IN PRESS

JID: JISA 2

K. Hariss et al. / Journal of Information Security and Applications 000 (2017) 1–10

[EncK (x1 ) × EncK (x2 )]modN = [EncK ([x1 × x2 ] modN )]mod (N )

Table 1 PORE approach.

(2) where x1 , x2 are two plaintexts in a ring ZN , Enc is the encryption algorithm and K is the symmetric key. In addition, the evaluation function is introduced where all computations are related to the circuit C. It is defined in a symmetric scenario with circuit C by: 1.  → evaluate(K, C, θ1 , θ2 , θ3 , . . . , θt ) where θi = EncK (mi ), mi is a plaintext, K is the symmetric key and i = 1, 2, 3, . . . , t. 2. Any encryption algorithm is evaluated as homomorphic if  = EnK (C (m1 , m2 , .., mt )). To our knowledge there is no efficient FHE scheme practical for real world applications. We consider in this paper the MORE approach and we build a new encryption algorithm (Enhanced MORE) that provides a dynamic implementation and high immunity against attack. The proposed enhancement are evaluated and Enhanced MORE algorithm performs better than MORE and PORE when studying the security analysis. The rest of this paper is organized as follows, Section 2 explains the MORE and PORE Approaches. Section 3 introduces Enhanced MORE, i.e. our enhancement steps for the MORE approach. Security analysis and performances of Enhanced MORE algorithm are given in Section 4 in addition to a comparison with the MORE and PORE approaches. Conclusions are drawn in Section 5. 2. MORE and PORE approaches 2.1. MORE approach



m 0

Secret key

K = ( v1 , v2 )

Public parameters Plaintext space

b = −(v1 + v2 )mod (N ) c = (v1 v2 )mod (N ) set of x in a ring ZN .

Encryption process

Enc (x ) = (a, d ) that satisfies

Ciphertext space Decryption process Fully Homomorphic

r is a random integer set of (a, d) ∈ ZN × ZN x = (av1 + d )mod (N ) b and c should be exposed to the cloud.

av1 + d = x av2 + d = r

storage overhead and in [16] a key recovery attack on MORE that requires only side channel information on plaintext is given. Thus providing an inefficient FHE algorithm. 2.2. PORE approach The PORE approach which stands for Polynomial Operation for Randomization and Encryption is proposed in [10]. It is a FHE Algorithm that satisfies both properties, Addition and Multiplication. A summary of this FHE algorithm is given in Table 1, as we implement it to achieve the comparison with our Enhanced MORE. 3. Building the Enhanced MORE Based on the MORE Approach, Enhanced MORE is built without altering its homomorphic behavior. The different enhancement steps are illustrated in Fig. 1 and will be explained below: 3.1. Dynamic key generation (DK)

In [9,10], a matrix idea called MORE (Matrix Operation for Randomization and Encryption) is investigated for building a FHE scheme (an example of the MORE Approach is given in Appendix A). The proposed method is defined by the following matrix equation:

E (m, k ) = K −1

[m5G;February 20, 2017;12:18]



0 K r

(3)

where m the plaintext, r is a random integer in a ring ZN , K is an invertible matrix in ZN (2x2) and K −1 its corresponding inverse one. The decryption process is simply the inverse of the encryption process by applying:



D(m, k ) = K E (m, k )K −1 =



m 0

0 r

(4)

The introduced encryption algorithm provides additive and multiplicative properties:



E ( m1 ) + E ( m2 ) = K

−1

=K

−1



m1 0





0 m2 K + K −1 r1 0

m1 + m2 0





0 K r2

0 K r1 + r2

= E ( m1 + m2 )

 E (m1 ) × E (m2 ) = K −1

 = K −1

m1 0

(5)





0 m2 K × K −1 r1 0

m1 × m2 0





0 K r2

0 K = E ( m1 × m2 ) r1 × r2

The two end hosts should agree on two secret parameters: a secret key and an initial vector (IV). Using a secure hash algorithm, a dynamic key (DK) of 64 bytes is created. Three different keys are picked and used to form three different cipher layers as follows (Fig. 1) : • DKp : Dynamic Key for Permutation formed of 23 bytes. • DKd : Dynamic Key for Diffusion formed of 16 bytes. • DKs : Dynamic Key for Selection formed of 23 bytes. 3.2. Permutation box Using DKp , a permutation box is generated and applied over the input plaintext. In our Enhanced MORE implementation, the creation of a permutation box is done similar to [17]. The key dependent permutation technique is employed because it preserves the homomorphic properties [17],[18]. The interpretation of the homomorphic behavior of a permutation box is shown as follows: Suppose that we have a permutation box called π of dimension N defined by: π = [ pi ]1≤i≤N . Two plaintexts X and Y of dimension N are given: X = [xi ]1≤i≤N and Y = [yi ]1≤i≤N . After permutation π (X ) = [x pi ]1≤i≤N and π (Y ) = [y pi ]1≤i≤N . Suppose that  is a law defined over the plaintexts by: X  Y = [xi ]1≤i≤N  [yi ]1≤i≤N = [xi  yi ]1≤i≤N = [zi ]1≤i≤N = Z. π (X  Y ) = π (Z ) = [z pi ]1≤i≤N = [x pi  y pi ]1≤i≤N . And π (X )  π (Y ) = [x pi ]1≤i≤N  [y pi ]1≤i≤N = [x pi  y pi ]1≤i≤N . Since π (X  Y ) = π (X )  π (Y ), we can deduce the homomorphic behavior of π . 3.3. Dynamic block encryption

(6)

One can see that the MORE approach is FHE because it satisfies the both homomorphic properties. But this approach presents high

After the Permutation box, the permuted  plaintexts of dimension l is divided into H blocks, where H = nl , n is the block size as shown in Fig. 2. Each block of dimension n is encrypted with

Please cite this article as: K. Hariss et al., Fully Enhanced Homomorphic Encryption algorithm of MORE approach for real world applications, Journal of Information Security and Applications (2017), http://dx.doi.org/10.1016/j.jisa.2017.02.001

JID: JISA

ARTICLE IN PRESS

[m5G;February 20, 2017;12:18]

K. Hariss et al. / Journal of Information Security and Applications 000 (2017) 1–10

Fig. 1. Enhanced MORE implementation.

Fig. 2. Decomposition into block format.

Please cite this article as: K. Hariss et al., Fully Enhanced Homomorphic Encryption algorithm of MORE approach for real world applications, Journal of Information Security and Applications (2017), http://dx.doi.org/10.1016/j.jisa.2017.02.001

3

ARTICLE IN PRESS

JID: JISA 4

[m5G;February 20, 2017;12:18]

K. Hariss et al. / Journal of Information Security and Applications 000 (2017) 1–10

Fig. 3. An example of creation of a dynamic K matrix for n = 8(a) and (b) for n = 32.

MORE approach with an encryption key chosen dynamically from a secret key bank using a dynamic selection algorithm (Fig. 1). 3.4. Matrix key bank generation

Where I and A are the identity matrix and a non-zero matrix of size n/2 respectively. Additionally, the elements of A can be freely chosen from any Galois field such that K is full rank. However, having a matrix K constructed from four sub-matrices (A, B, C and D)





A C

B D

The different keys used during the encryption process are chosen dynamically from a secret Matrix key bank. In fact this Matrix key bank is a set of invertible matrices with their inverses. This secret key bank is generated based on the following steps:

K=

3.4.1. Simple generation of an invertible integer secret key dependent matrix K Based on Eq. (3), an important condition for satisfying the MORE approach is to find an invertible secret key matrix K. In [9,10], the authors have demonstrated that the probability of finding an invertible matrix in a ring ZN is high, but finding this matrix with its inverse exposes the Enhanced MORE to computational complexity. In [19] we adopted an efficient technique for generating an invertible matrix with its inverse in a ring ZN as follows: Starting from a matrix

Det (K ) = Det (A ) × Det (D − CA−1 B )



k=

a c

b d





a a−1

k

−1



a+1 a



a = − (a − 1 )

A K= A−I

= Det (A ) × Det (A − (A + I − I − A−1 )) = Det (A ) × Det (A−1 ) 1 = Det (A ) × Det (A ) =1

(10)

A+I A

K

−1

A = −A + I

−A − I A



(11)

As a result, building a secret invertible matrix K of dimension n × n, where n is always even, as key for the MORE is done by selecting a nonzero random sub matrix A of dimension n/2, and by applying the matrix forms listed respectively in (9) and (11) (see Fig. 3), K and K −1 are obtained.

(7)



− (a + 1 ) a

(8)

If the parameter a is replaced by sub matrix A, we get



= Det (A ) × Det (A − (I − A−1 )(A + I ))



Since Det (k ) = 1, the matrix k is obviously invertible, and k−1 is

= Det (A ) × Det (A − (A − I )A−1 (A + I ))

Since Det (K ) = 1, the matrix K is always invertible and its inverse integer matrix K −1 is:

its corresponding determinant Det (k ) = ad − bc, assume that Det (k ) = ad − bc = 1 and a = d. Under the conditions listed above we have: a2 − bc = 1, so bc = a2 − 1 = (a + 1 )(a − 1 ), than we can write b = a + 1 and c = a − 1. As a result, the matrix k is given by the following form:

k=

The inverse of this matrix when A = D, B = A + I and C = A − I can be proven. In this case the determinant of K is given by:



(9)

3.4.2. Building the Matrix key bank In Fig. 1, the different keys used during the dynamic block encryption are picked from a secret matrix bank formed of w invertible matrix with their inverses. Each matrix is of dimension n × n (n is an even integer). The creation of this bank is done with the three following steps: 1. First step: Based on DKd and a stream cipher algorithm like RC4, the two end host should create a shared secret sequence s of dimension w × 2n × n2 .

Please cite this article as: K. Hariss et al., Fully Enhanced Homomorphic Encryption algorithm of MORE approach for real world applications, Journal of Information Security and Applications (2017), http://dx.doi.org/10.1016/j.jisa.2017.02.001

JID: JISA

ARTICLE IN PRESS

[m5G;February 20, 2017;12:18]

K. Hariss et al. / Journal of Information Security and Applications 000 (2017) 1–10

5

Fig. 4. Dynamic Encryption of block number k.

2. Second step: A reshape function can transform the previous sequence s into w sub-matrices of dimension n2 × n2 . 3. Third step: Using the matrix generation equations listed in (9) and (11) a secret key bank of w matrices with their inverses is built where each matrix is of dimension n × n. 3.5. Dynamic key selection algorithm The Dynamic key selection algorithm is done by creating another permutation box called  = [δi ]1≤i≤H that has the length of the number of blocks H. The key selection of the block number k is shown in Fig. 4, where the kth block [mi(k−1)n+1 , mi(k−1)n+2 , ....., mi(k−1)n+n ] of the permuted plaintext is filled in a diagonal matrix format. Based on k, the index δ k is chosen from the permutation box . Depending on the index δ k , the couple of keys (Kδk , K −1 δk ) is chosen from the secret matrix bank as a dynamic encryption key for the concerned block. 3.6. Decryption process The Decryption process is simply the inverse of the encryption process listed in Fig. 1. Having DK and IV, all the secret parameters can be generated. The decryption process is based on the following steps: 1. MORE decryption: Based on the DKd and DKs , the receiving end host can generate the same secret Matrix key bank and the same dynamic selection algorithm. The MORE decryption is done per block and it is the inverse encryption process as given in Eq. (4). 2. Inverse permutation: The destination produces the inverse secret permutation vector π −1 by using DKp and the following transformation:

π −1 [π [X ]] = X

(12)

4. Security analysis To study the Enhanced MORE resistance against attacks, several tests are done forming the security analysis as listed in [19], where a set of plaintexts in the ring Z256 are picked for the Enhanced MORE implementation. We compare the execution time and the storage overhead of MORE and PORE with Enhanced MORE. As for the security analysis, Enhanced MORE gives higher performances

than the MORE and PORE because these two encryption algorithms are vulnerable to attacks as they are built on linear transformations 4.1. Resistance against statistical attacks Towards resisting statistical attacks, the ciphertext should possess a high degree of randomness. According to this, the proposed cipher scheme should ensure the independence and uniformity criteria. The uniformity can be proved visually by plotting the histogram of the ciphertext and validate by employing several statistical tests such as the entropy test on the encrypted sequence. While, the independence criterion can be ensured visually by plotting the recurrence of the encrypted data. This criterion can also be validated by a statistical tests such as verifying the percentage of difference in bit level between the original and encrypted data (difference tests) and by quantifying the coefficient correlation between the original and encrypted data. All these tests are applied in the following to prove that these criteria are attained by employing the proposed scheme that can resist successfully the statical attacks. 4.1.1. Uniformity propriety According to the previous description, two tests were realized to validate that the proposed scheme can ensure the uniformity propriety, which are the distribution and entropy tests that are described in the following: Distribution test. To resist against statistical attacks, a cryptosystem should have a ciphertext distribution close to uniform to prevent any useful information that can permit this kind of attacks to break the cipher system. The distribution of the used plaintext and its corresponding obtained ciphertexts distribution are shown in Fig. 5 (a) and (b) respectively. According to the results, the distribution of the ciphertext after applying the Enhanced MORE is close to uniform distribution. Therefore, the proposed cipher can resist to any statistical attack. Entropy test. To measure the level of uncertainty in a random variable, the entropy is used as a metric. The entropy is defined for a message m by the following equation:

H (m ) =

M 2 −1

i=0

p(mi )log2

1 p( m i )

(13)

Please cite this article as: K. Hariss et al., Fully Enhanced Homomorphic Encryption algorithm of MORE approach for real world applications, Journal of Information Security and Applications (2017), http://dx.doi.org/10.1016/j.jisa.2017.02.001

JID: JISA 6

ARTICLE IN PRESS

[m5G;February 20, 2017;12:18]

K. Hariss et al. / Journal of Information Security and Applications 000 (2017) 1–10

Fig. 5. Distribution Test: (a)- Original message, (b)-Cipher message.

calculate the correlation among these two sequences to measure the evolution of randomness. Fig. 7 (a) represents the correlation among xi (t) and xi (t + 1 ) for the plaintext while Fig. 7 (b) is for the ciphertext. In Fig. 7 (a) we used a set of plaintexts with a mean value equal to 128 with a standard variation equal to 16. After applying the Enhanced MORE, Fig. 7 (b) presents a high level of randomness among the ciphertext (i.e. no clear pattern is shown after the encryption process). Correlation test. A low correlation between the ciphertexts and the plaintexts is mandatory in a good crypto-system. The correlation coefficient between the original and the encrypted plaintexts is computed as follows:

ρx,y = 

cov(x, y )

(14)

D (x ) × D (y )

where cov(x, y ) = E[{x − E (x )}{y − E (y )}]; 1  × xi n n

E (x ) = Fig. 6. Entropy Test of encrypted messages.

k=1

1  × {xi − E[x]}2 n n

and D(x ) = where p(mi ) represents the probability of occurrence of symbol mi and 2M is the total states of information source. A truly random source entropy is equal to M. In our Enhanced MORE to ensure that the resultant ciphertext is a truly random source, the entropy value should be close to 8 since the implementation is in a ring Z256 (28 = 256). In Fig. 6, the entropy value is calculated for 10 0 0 0 ciphertexts. The obtained result gives a mean value equal to 7.9414 very close to 8 with a low standard deviation (Std = 0.005 ). Therefore the resultant ciphertexts validate that attain the uniformity. 4.1.2. Independence propriety In this paper, three tests are required to prove that the independence criterion is achieved. They are the recurrence, the correlation and the difference tests, which are explained in the following: Recurrence test. If we consider a data sequence xi = x(i,1 ) , x(i,2 ) , x(i,3 ) , ..x(i,m ) , and a vector with delay t ≥ 1 constructed by xi (t ) = x(i,t ) , x(i,2t ) , x(i,3t ) , ....x(i,mt ) . The Recurrence Test is to

k=1

In Fig. 8, the correlation test for 10 0 0 0 iterations is shown, the obtained results are close to zero (mean = −0.06214 ) with a very low standard deviation (Std = 0.01771 ). The Enhanced MORE ensures the independence property due to the low correlation between the ciphertexts and the plaintexts. Difference test. A good crypto-system should at least gives 50% difference between the ciphertexts and the plaintexts at the bit level. The calculation of this difference is the Difference Test. In Fig. 9, the difference between 10 0 0 0 couples of ciphertexts and plaintexts is calculated at the bit level. The mean value is 50.009 with a low standard deviation (Std = 0.3150 ). Consequently, the proposed cipher satisfies the different required cryptographic performances. The independence and uniformity criteria are achieved by employing the proposed cipher scheme. This leads consequently to considered the ciphertext as a truly random source. Therefore, these results are presented to prove that statistical attacks could

Please cite this article as: K. Hariss et al., Fully Enhanced Homomorphic Encryption algorithm of MORE approach for real world applications, Journal of Information Security and Applications (2017), http://dx.doi.org/10.1016/j.jisa.2017.02.001

ARTICLE IN PRESS

JID: JISA

[m5G;February 20, 2017;12:18]

K. Hariss et al. / Journal of Information Security and Applications 000 (2017) 1–10

(a)

7

(b) Fig. 7. Reccurence Test: (a) Original message, (b) Cipher Message.

Fig. 9. Difference test. Fig. 8. Correlation test.

not reveal any useful information from the ciphertext and consequently that the proposed scheme is immune against statistical attacks. 4.2. Resistance against several kinds of key attacks In this part, we present an analysis showing that the proposed scheme can resist the different kinds of attacks related to keys. Indeed, the proposed approach employ the dynamic approach in contrast to the static one used by the existing symmetric homomorphic encryption algorithms. 4.2.1. Weak keys The proposed key derivation function produces a set of dynamic sub-keys with a high degree of randomness. In addition, all cipher operations such as the produced diffusion matrices and permutation tables are related to the dynamic key to achieve the desirable cryptographic performance. If any weakness in any dynamic key exist, it will not affect the previous and the next processed data.

Therefore, the proposed approach provide a good resistance degree against the weak keys. In addition, the variation of the secret key for each periodic interval produces a different sets of dynamic keys and consequently prevents the accident key disclosure. 4.2.2. Key sensitivity Key Sensitivity test consists of calculating the difference between the ciphertexts at the bit level after doing a slight change in the encryption key. The cipher should ensure a key sensitivity ‘ is value close to 50. Indeed, the sensitivity of wth secret key Kw calculated as follows:

T

KSw =

k=1

EKw  EKw T

× 100%, w = 1, 2, ..., 10 0 0.

(15)

‘ are equal to those of K , except a where all the elements of Kw w random Least Significant Bit (LSB) of a random byte, and T is the length of the original and cipher packets (in bits). Fig. 10 represents the Key Sensitivity test for 10 0 0 0 iterations; the mean value is 50.099 with a low standard deviation (Std = 0.3704 ). The proposed cipher can ensure a high resistance degree against related key attacks due to key sensitivity test results.

Please cite this article as: K. Hariss et al., Fully Enhanced Homomorphic Encryption algorithm of MORE approach for real world applications, Journal of Information Security and Applications (2017), http://dx.doi.org/10.1016/j.jisa.2017.02.001

ARTICLE IN PRESS

JID: JISA 8

[m5G;February 20, 2017;12:18]

K. Hariss et al. / Journal of Information Security and Applications 000 (2017) 1–10

Fig. 12. Storage overhead comparison.

two plaintexts that differ only in one bit. The obtained results give a mean value equal to 28.74 with a low standard deviation (Std = 0.9994 ). Thus, the mean value is lower than 50.

Fig. 10. Key sensitivity test.

Fig. 11. Plaintext sensitivity test.

4.2.3. Brute force attacks The size of the secret key can be 128, 196, and 256 bits such as AES and the size of the dynamic key is 512 bits, which are sufficient enough to protect the proposed cipher against the brute force attacks. 4.3. Resistance against chosen/known plaintext/ciphertext attacks Unfortunately, the symmetric FHE is insecure against chosen/known plaintext/ciphertext attacks due to its linearity. As a consequence, this weak points are analyzed and overcomes in the proposed solution as described in the following. 4.3.1. Plaintext sensitivity The plaintext sensitivity is used to highlight the importance of Avalanche Effect in a crypto-system. The Avalanche Effect means that one bit change in the plaintext, will change at least half bits of the correspondent ciphertext. The Avalanche Effect property can ensure the required resistance against chosen/known plaintext/ciphertext attacks, if a dynamic key approach is employed which is our main idea. Numerically spoken, a good crypto-system should give a plaintext sensitivity close to 50. Fig. 11 shows the difference at the bit level for 10 0 0 0 couple of ciphertexts related to 10 0 0 0 couples of plaintexts, where each couple is formed of

4.3.2. Why proposed scheme resists chosen/known plaintext/ciphertext attacks Enhanced MORE does not provide the total Avalanche Effect which may expose it to chosen/known plaintext/ciphertext attacks but gives better performance than the MORE Approach because it is mentioned in [8] that chosen plaintext attack on the MORE is possible by merely two chosen plaintext/ciphertext pairs. This is the traditional case, when a static invertible diffusion matrix K is used. However, the proposed approach generates a set of diffusion matrices that change for each session time. As a conclusion, one of the most important benefits of the dynamic structure that it permits to overcome this vulnerability. More important, a global permutation process is introduced in the proposed scheme, and it is realized at message level to eliminate the sequential order of data that could be chosen in the plaintext/ciphertext attacks. Therefore, the designed dynamic permutation operation and the dynamic diffusion operation complicate the task of attacks which become really hard. In addition, a set of possible permutation tables (a set of P-boxes instead of one) are generated based on DK. For each input message, a P-box is selected from the set of stored P-boxes in a pseudo-random manner. This will also prevent chosen/known plain/cipher text attacks. Another recommendation is proposed in this paper is to use the Dynamic Key (DK) for short encryption sessions. 4.4. Resistance against modern future powerful attacks The employment of the dynamic key approach will provide the required resistance degree to prevent the future powerful attacks. This discussion is presented in this paper to validate the safe employment of the proposed approach and to prove that it can resist the most well known attacks. For the best of our knowledge, this is the first work that proposes the dynamic approach to ensure a robust symmetric FHE candidate with lower latency and resource requirements. 5. Performance analysis To achieve efficiency, a good crypto-system should provide a low storage overhead and low latency. To evaluate the efficiency of our Enhanced MORE, in the next subsections we will study the storage overhead and the execution time and will compare them with some existing algorithms. 5.1. Storage overhead Fig. 12 shows two different block formats of dimension n related to MORE and Enhanced MORE encryption respectively. In our Enhanced MORE, it is very clear that instead of using n − 1 random integers during the encryption process, the diagonal of the plaintexts matrix is filled by n permuted plaintexts benefiting from the homomorphic behavior of the permutation box. As a conclusion,

Please cite this article as: K. Hariss et al., Fully Enhanced Homomorphic Encryption algorithm of MORE approach for real world applications, Journal of Information Security and Applications (2017), http://dx.doi.org/10.1016/j.jisa.2017.02.001

ARTICLE IN PRESS

JID: JISA

[m5G;February 20, 2017;12:18]

K. Hariss et al. / Journal of Information Security and Applications 000 (2017) 1–10

9

Table 2 Execution time RATIO(Enhanced MORE / MORE). Plaintext size in bytes Execution time ratio

800 0.5850

1600 0.6229

2400 0.775

3200 0.7813

40 0 0 0.7485

4800 0.7482

5600 0.7442

6400 0.7258

7200 0.7407

80 0 0 0.7421

Appendix A. MORE example - Suppose that the plaintext Ring is Z256 , we pick from it two plaintexts x1 = 147 and x2 = 210.  - In the ring Z256 , we build the invertible matrix K= 126 129 126 127 , with its corresponding inverse K −1 = . 131 126 125 126 - To encrypt the two plaintexts x1 and x2 using the MORE Approach, we pick respectively two randoms integers r1 = 200 and r2 = 75 for x1 and x2 .     x1 0 126 127 −1 EncK (x1 ) = (K × × K )modN = ( × 0 r1 125 126



147 0

 Fig. 13. Execution time.

the encryption of m bytes plaintexts formed using MORE Approach gives a ciphertext of dimension m × n × n bytes, while Enhanced MORE gives a ciphertext of dimension m × n bytes. 5.2. Execution time Enhanced MORE (4 × 4), MORE (4 × 4) and PORE implementations are done under MATLAB using Toshiba Laptop having the following specifications: Processor Intel(R) Core(TM) i5-4200U CPU @ 1.60GHz, 2301Mhz, 2 Core(s), 4 Logical Processor(s). The execution time is studied for different plaintexts size, and for each plaintext size the mean execution time is measured for 10 0 0 0 iterations. The result is shown in Fig. 13. Based on the execution time, our Enhanced MORE is taking the lowest execution time, while the MORE is taking the highest this can be interpreted that during our Enhanced MORE the encryption is done by filling the diagonal with 4 permuted plaintexts while with the MORE approach the diagonal is filled with one plaintext and 3 random integers which makes our algorithm more efficient and practical. Table 2 shows the improvement of our Enhanced MORE (4 × 4) on the MORE (4 × 4) Approach in terms of execution time. 6. Conclusion In this paper, we proposed an Enhanced FHE algorithm. Based on MORE approach, we build new FHE practical algorithm for real world applications that requires lower latency and resource requirement. The new encryption algorithm is based on symmetric approach and ensure efficiency, robustness, dynamical implementation, in addition to the homomorphic properties. To overcome the lack of the Avalanche effect, different countermeasures are used such as dynamic permutation operations at the message level and dynamic MORE algorithm are employed to prevent any chosen/known plaintext/ciphertext attack. For the best of our knowledge we are the first who present a dynamic structure of symmetric FHE algorithm to ensure an efficient implementation and safe employment.





0 126 × 200 131

EncK (x2 ) =



(K −1









129 244 )mod256 = 126 66

x × 2 0









234 . 103

0 126 × K )modN = ( r2 125







127 × 126

210 0 126 129 103 114 × )mod256 = . 0 75 131 126 170 182 - Additive Homomorphic property:   244 234 [EncK (x1 ) + EncK (x2 )]modN = ( + 66 103









103 114 91 92 )mod256 = . 170 182 236 29 -let r+ = r1 + r2 = 275 and (x1 + x2 )mod (N ) = (147 + 210 ) mod (256 ) = 101.   x1 + x2 0 −1 [EncK ([x1 + x2 ]modN )]modN = K × ×K = 0 r+



126 ( 125







127 101 × 126 0







0 126 × 275 131



129 )mod256 = 126

91 92 . 236 29 Since [E ncK (x1 ) + E ncK (x2 )]modN = [E ncK ([x1 + x2 ]modN )]modN, the MORE is additive Homomorphic. -Multiplicative Homomorphic:   244 234 [EncK (x1 ) × Enc (x2 )]mod (N ) = ( × 66 103









103 114 144 4 )mod256 = . 170 182 244 158 - let r× = (r1 × r2 )modN = 152 and (x1 × x2 )mod (256  ) = 150. x × x 0 2 [EncK ([x1 × x2 ]modN )]modN = K −1 × 1 ×K = 0 r×

 126 ( 125 





127 150 × 126 0







0 126 × 152 131



129 )mod256 = 126

144 4 . 244 158 - Since [EncK (x1 ) × Enc (x2 )]mod (N ) = [EncK ([x1 × x2 ]modN )] modN, the More is multiplicative homomorphic. - The More Approach satisfies both properties addition and multiplication, this homomorphic algorithm is fully homomorphic (FHE).

References [1] Aguilar-Melchor C, Fau S, Fontaine C, Gogniat G, Sirdey R. Recent advances in homomorphic encryption: A possible future for signal processing in the encrypted domain. IEEE Signal Process Mag 2013;30(2):108–17.

Please cite this article as: K. Hariss et al., Fully Enhanced Homomorphic Encryption algorithm of MORE approach for real world applications, Journal of Information Security and Applications (2017), http://dx.doi.org/10.1016/j.jisa.2017.02.001

JID: JISA 10

ARTICLE IN PRESS

[m5G;February 20, 2017;12:18]

K. Hariss et al. / Journal of Information Security and Applications 000 (2017) 1–10

[2] Fau S, Sirdey R, Fontaine C, Aguilar-Melchor C, Gogniat G. Towards practical program execution over fully homomorphic encryption schemes. In: P2P, parallel, grid, cloud and internet computing (3PGCIC), 2013 IEEE eighth international conference on; 2013. p. 284–90. [3] Fontaine C, Galand F. A survey of homomorphic encryption for nonspecialists. Springer, EURASIP J Inf Secur 20 07;20 07(1):1–10. [4] Rivest R, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 1978;21(2):120–6. [5] Gentry C. A fully homomorphic encryption scheme. Phd thesis. Stanford University; 2009. [6] Gentry C. Fullyhomomorphic encryption using ideal lattices. In: STOC ’09 proceedings of the forty-first annual ACM symposium on theory of computing Pages 169-178 ACM New York, NY, USA; 2009. [7] van Dijk M., Gentry C., Halevi S., Vaikuntanathan V. Fully homomorphic encryption over the integers. EUROCRYPT’2010 (LNCS) vol. 6110. pp. 24–43. [8] Sharma I. Fully homomorphic encryption scheme with symmetric keys. In: Rajasthan Technical University, Kota, University College of Engineering, Department of Computer Science and Engineering; 2013. [9] Xiao L., Bastani O., Yen I.-L. An efficient homomorphic encryption protocol for multi-user systems. Citeseer, IACR Cryptology ePrint Archive 2012 193.2012. [10] Kipnis A., Hibshoosh E. Efficient methods for practical fully homomorphic symmetric-key encrypton, randomization and verification. IACR Cryptology ePrint Archive 2012 637 2012. [11] Ferrer JD. A new privacy homomorphism and applications. Inf Process Lett 1996;60(5):277–82.

[12] Ferrer JD. A provably secure additive and multiplicative privacy homomorphism. In: Universitat Rovira i Virgili, dept. of computer engineering and maths, ISC ’02 Proceedings of the 5th international conference on information security; 2002. p. 471–83. Springer-Verlag London, UK © [13] Chan AC-F. Symmetric-key homomorphic encryption for encrypted data processing. In: 2009 IEEE international conference on communications; 2009. p. 1–5. [14] Haridas D, Venkataraman S, Varadan G. Strengthened iterated hill cipher for encrypted processing. In: Parallel dstributed and grid computing (PDGC), 2012 2nd IEEE International conference; 2012. p. 491–6. [15] Nassar M, Erradi A, Malluhi QM. Paillier’s encryption: Implementation and cloud applications. In: Applied research in computer science and engineering (ICAR), 2015 International conference on, Beirut; 2015. p. 1–5. doi:10.1109/ ARCSE.2015.7338149. [16] Vizár D, Vaudenay S. Cryptanalysis of chosen symmetric homomorphic schemes. Studia Scientiarum Mathematicarum Hungarica 2015;52(2):288–306. [17] Noura H., Courrousé D. Hldca-wsn:homomorphic lightweight data confidentiality for wireless sensor network. Int Assoc Cryptographic Res IACR2015:928. [18] Zhang P, Jiang Y, Lin C, Fan Y, Shen X. P-coding: secure network coding against eavesdropping attacks. In: INFOCOM, 2010 Proceedings IEEE; 2010. p. 1–9. [19] Noura H, Samhat AE, Harkous Y, Yahiya TA. Design and realization of a neural block cipher. In: Applied research in computer science and engineering (IACR), 2015 International conference on, Beirut; 2015. p. 1–6. doi:10.1109/ARCSE2015. 7338131.

Please cite this article as: K. Hariss et al., Fully Enhanced Homomorphic Encryption algorithm of MORE approach for real world applications, Journal of Information Security and Applications (2017), http://dx.doi.org/10.1016/j.jisa.2017.02.001