Kernel homomorphic encryption protocol

Journal of Information Security and Applications 48 (2019) 102366

Contents lists available at ScienceDirect

Journal of Information Security and Applications journal homepage: www.elsevier.com/locate/jisa

Kernel homomorphic encryption protocol Shamsher Ullah a,∗, Xiang Yang Li a, Muhammad Tanveer Hussain b, Zhang Lan a a b

School of Computer Science and Technology, University of Science and Technology of China, Hefei, Anhui 230026, P.R. China School of Mathematical Sciences, University of Science and Technology of China, Hefei, Anhui 230026, P.R. China

a r t i c l e

i n f o

Article history: Available online xxx Keywords: Homomorphic encryption Fully homomorphic encryption Levelled homomorphic encryption Kernel Kernel homomorphism Elliptic curve discrete logarithm problem.

a b s t r a c t In electronic environ and cloud computing, the growth rate of noises or errors and computation is increasing day-by-day. Once the number of noises is exceeded the whole process of communication is failed. To reduce this growth of noises and computation, we proposed a novel kernel homomorphic encryption (Ker-HE) scheme. Ker-HE scheme is used to remove the number of noises (of addition and multiplication) by using kernel and kernel homomorphism. These functions are used to control the exceeding length of ciphertext during decryption and remove all the noises or errors. The applied methods of kernel and kernel homomorphism are used to maintain the size of the ciphertext during decryption and prevent all the noises or errors. Therefore our proposed scheme is more suitable in an aspect of security and computations between communicating parties. The performance of our proposed scheme is 79.12% and 86.64% for multiplication operation during encryption and decryption. While under exponentiation operation it has 100% efficiency as compared to existing schemes. The security properties of our proposed scheme such as integrity, confidentiality and un-forge-ability. The hardness of our scheme is based on the Elliptic Curve Discrete Logarithm Problem (ECDLP). In our proposed ker-HE scheme kernel function and kernel homomorphism are used to recover the failure of injection(one-to-one) function. © 2019 Elsevier Ltd. All rights reserved.

1. Introduction The growing rate of electronic communications are needed to make secure. The projected plan with respect to security by using the concept of Encryption is proposed in [3]. Encryption is the mathematical act, in which communicating parties can securely communicate to each other’s, e.g. video, email, text, images etc. The process of encoding a message in such a way that only authorized users can access. Homomorphic Cryptography (HC) is similar to conventional cryptography. It ensure privacy of data during communication, processed data and data storage. To convert a problem from one algebraic system into another algebraic system uses the property of homomorphism. It make secure delegation of computations between communicated parties [4]. Homomorphic Encryption (HE) is an advance technique which keep the data secret without decrypting [5]. In homomorphic encryption the message space of the scheme is always in a ring, and the computational model has an arithmetic circuits over this ring

∗

Corresponding author. E-mail addresses: [email protected] (S. Ullah), [email protected] (X.Y. Li), [email protected] (M.T. Hussain), [email protected] (Z. Lan). https://doi.org/10.1016/j.jisa.2019.102366 2214-2126/© 2019 Elsevier Ltd. All rights reserved.

[6]. In wide range of security applications of electronic voting and Private Information Retrieval (PIR) etc simple homomorphic cryptosystem are incompetent to evaluate general transformations on encrypted data [7]. A fully homomorphic encryption scheme is proposed w.r.t two algebraic operations like addition and multiplication [8]. In 2014 existing scheme improve the performance of homomorphic encryption known as fully homomorphic encryption (FHE) and levelled fully homomorphic encryption (LFHE) [6,9,10]. In HE the smaller noise ratio is used in lower levels of the circuit. In electronic voting system, some special encryption function of homomorphism are enable to adding up votes without decrypt each vote [10]. LFHE [6,10] approach are capable to remove weaker assumption of FHE and is used to evaluate arbitrary polynomial size of circuits. The parameters of the LFHE scheme may depend on the depth of the circuits that the scheme can evaluate nor on the size. The limitation of LFHE was out-source computations to remote servers without compromising privacy [6]. In 2009 C. Gentry proposed scheme are compute arbitrary functions over encrypted data without decryption key i.e., given encryption E (m1 ), . . . .E (mt ) of (m1 ), . . . .(mt ) is efficient compact ciphertext of encrypts f ((m1 ), . . . ., (mt )) any efficient computable function f. FHE [9,11–14] scheme is non-trivial to achieve because it does not require circuit privacy [8,9] and it perform non-trivial homomorphic operations on plaintexts, to prevent obtaining of the same plaintexts during refreshed encryption. In evaluate N − AND

2

S. Ullah, X.Y. Li and M.T. Hussain et al. / Journal of Information Security and Applications 48 (2019) 102366

augmentation of decryption circuit, the generated encryption of π1 N − ANDπ2 under pk2 using the encrypted secret key (sk1 under pk2 )) together with the two ciphertexts encrypting (π 1 , π 2 ) under pk1 . By recursively it can evaluate a d-depth circuit of N − ANDs. The main limitation of C. Gentry [9] scheme has been growth of ciphertext per computation in a circuit due to many keys, large public key and accumulation of noise. The proposed [15] efficient fully homomorphic encryption scheme on the base of learning with errors (LWE) assumption. The applied technique of the proposed scheme are dimension modulus reduction. This technique is used to short the ciphertexts size and also reduce decryption complexity, except additional assumption. The security of the scheme is based on worst-case hardness of Short Vector Problems (SVP) on arbitrary lattices. The proposed model communication complexity is based on public key is k.pol yl og(k ) + log | DB | bits per single bit query [15]. In 2013 F. Armknecht et al. [16] says, the need to deduce the theoretical insights of Paillier scheme [5], therefore the author proposed new theoretical insights based on subgroup problem. In practical homomorphic encryption (PHE) [17,18] the performance of existing implementation is unsuitable for real time applications like Graphics Processing Units (GPUs) and field programmable gate arrays (FPGAs). W. Wang et al. [19], implemented the GH FHE scheme on two GPUs to further speed up the operations. The results of W. Wang scheme having small parameter setting show speed-ups of 174 for encryption, 7.6 for decryption and 13.5 times for recryption, respectively, the proposed scheme is compared to the GentryHalevi implementation [12] and K. Lauter et al. [18], scheme improved the efficiency of existing scheme [20]. RSA and ElGamal [21,22] are the great examples of PHE. Hybrid Homomorphic Encryption (HHE) [15] scheme are used to reduce the ciphertext length. When a given message m to be encrypted, rather than using HE scheme, encrypt the message m using symmetric encryption under symmetric secret key (symsk ), then encrypt symsk itself under HE scheme. The encryption of message m using HE scheme so much long, the need to produce short ciphertext size using symmetric encryption and for independent message length again used HE scheme. In key generation phase the encryption of symsk is done once. To perform operations of homomorphic, evaluation function used symsk to decrypt ciphertexts, obtaining an encryption m, but now under homomorphic encryption. The result/output of homomorphic operations is in the form of a ciphertexts, which save communication complexity (Figs. 1–3).

Fig. 3. Homomorphic encryption for cloud computing.



Fig. 4. Applying a function (f) on input (X) and produce output (X ).

Challenges: (1) To remove the existing [9,23] schemes growth of cipher’s and noises in a circuit due to: • Countless keys usage • Bulky public key • Growths of noises (2) To set a minimum polynomial time for execution. (3) To save communication and computation overheads. Our contributions: In our proposed scheme we apply functions (like kernel function and kernel homomorphism) to provide the efficient size of inputs and outputs. Our contribution is to set parameters with minimum polynomial using Ker-HE scheme and give results in minimum polynomial time. In Ker-HE we need to apply kernel function [24–26] to control the input size of the circuit during encryption and to control the output size during decryption. The use of these two main functions in Ker-HE is used to control the exceeding size of the whole ciphertexts during encryption, decryption, and recryption (known as evaluation) and it also saves the communication and computation complexity.

2. Preliminaries 2.1. Functions

Fig. 1. Secure communication of homomorphic encryption between sender and receiver.

The relation between a set of inputs and a set of outputs with the property that each input is given exactly one output [27]. Fig. 4 show that, the applying function (f) with input X produce the out put X .

2.1.1. Surjective function In surjective function the image is equal to its co-domain if the size of the input is larger than the set of outputs, then general cryptographic hash functions [28] are used to manage/resolve its size problem. The limitation of surjective function is the input size that belongs from the co-domain [29] (Fig. 5).

Fig. 2. Homomorphic encryption for cloud computing.

2.1.2. Injective function An injective function is the opposite of a surjective function. Injective functions are one-to-one, even its co-domain having different size of the inputs and cause of failure [1,2] (Fig. 6).

S. Ullah, X.Y. Li and M.T. Hussain et al. / Journal of Information Security and Applications 48 (2019) 102366

Fig. 5. Surjective Function.

Fig. 6. Injective Function.

Fig. 7. Bijective Function.

2.1.3. Bijective function A bijective function is a one-to-one mapping of inputs to outputs. In standard cryptography the same numbers of inputs to outputs like 8-bits input and 8-bits outputs used as a block cipher. The standards of block ciphers are DES [30], AES [31,32] and Twofish [32]. In bijective function, the co-domain of a function is the possible output set due to the input size of the set and the image of the function is the subset of the co-domain. The co-domain set and image set are the same set, in which its outputs exist (Fig. 7). 3. Related work In 1978 Rivest, R., Adleman, L., and Dertouzos, M. [21] first proposed the idea of FHE under the title privacy homomorphism. H. Kevin [33,34], proposed homomorphic cryptosystems to achieve security. In 2009 as C. Gentry’s proposed the concept of fully homomorphic encryption [9], to evaluate circuits over encrypted data without decrypting. In 2011 K. Lauter et al., proposed can homomorphic encryption be practical scheme [18], the contribution of K. Lauter et al., scheme is of twofold firstly the use of FHE in real-world applications like the medical, financial, and advertisement, which need only that the encryption scheme is somewhat homomorphic and secondly, he shows an implementation proofof-concept of somewhat homomorphic encryption scheme of Z. Brakerski and V. Vaikuntanathan [15,35], whose security is based on ring learning with errors (Ring LWE) problem. In 2012 J. Fan et al., proposed somewhat Homomorphic Encryption (somewhat HE) [35] scheme and says, it can be much faster and more compact than Fully Homomorphic Encryption (FHE) scheme [9] because it supports a limited number of operations. In 2010 S. Damien and R. Steinfeld [37] proposed faster fully homomorphic encryption scheme, which provides more aggressive analysis, its hardness is based on Sparse Subset Sum Problem (SSSP), for the low multiplicative degree, the author implements a probabilistic decryption algorithm with the algebraic circuit. In 2011 C. Gentry and S. Halevi [12] implementing gentry’s fully homomorphic encryption scheme, his implementation is for bootstrapping functional-

3

ity and optimization for all aspects of the existing Smart and Vercauteren scheme [38]. In optimization key generation method does not need full polynomial inversion. In 2012 R. Meissen proposed [39] a mathematical approach to fully homomorphic encryption, to control the growth rate of errors or noise in ciphertexts during decryption. In 2012 J. Fan and F. Vercauteren proposed [35] somewhat practical fully homomorphic encryption, the author divide the relinearization into two optimized versions; one is for a smaller key and another one for fast computations. The various types of homomorphic operations like addition, multiplication, re-linearization and bootstrapping are needed to bounds the noise during analysis of these operations. In 2013 J. Sen proposed [34] homomorphic encryption theory and application. The author says FHE can be used to solve practical problems of cryptography. The challenging task of the existing schemes C. Gentry 2009 is how to manage the noises like the noise of addition and noise of multiplication. If the number of noises is increased during a homomorphic evaluation and once it exceeds a firm threshold and decryption will be failed. Our contributions are: 1. In our newly proposed Ker-HE scheme, we call a kernel homomorphism, which is capable of inputs encrypted operation under exclusive or (xor/) (because homomorphic multiplications add more noise to the cipher text than the homomorphic additions). A ciphertexts resulting from a kernel evaluation can be decrypted using the secret keys as well hash function (h) to compute original plaintexts. 2. The hardness of our proposed scheme is based on ECDLP and eavesdropper is failed due to ECDLP. 3. The computation and communication overheads occur due to extra(increased) input and output bits size during encryption and decryption, our scheme is more efficient as compared to existing schemes [5,29,40] and compare with schemes [5,6,14,15,39,45] during the growing rate of noises. 4. Our scheme is used to reduce the number of noises from resulting during encryption and decryption due to exclusive or (xor/) encryption and will be safe in both cases and our scheme will be safe from botch. 5. Kernel and kernel homomorphism is used to control the plain texts size during encryption and ciphertexts size during decryption respectively. 4. Background This section contains the background study of relevant techniques and concepts, which are described one-by-one below: 4.1. Group An algebraic structure, that consisting the elements in a set with operations to combines any two elements of that set and gives the third element, which belongs from that set and also satisfies conditions of closure, associativity, identity, and invertibility is called group [27]. 4.2. Homomorphism Let the function f: X → Y be any homomorphism, which defines the equivalence relation ∼ on X by a ∼ b if and only if f (a ) = f (b). The relation ∼ is called the kernel of function f, the defining operations [x] ∗ [y] = [x ∗ y] in that case the image of X in Y under the homomorphism f is isomorphic to X/ by using isomorphism theorem. A group of algebraic structure for some operations the equivalence class K of the identity element under this operation are characterize the equivalence relation and the quotient by the equivalence relation is Xmod(K). In this case, it is K rather than ∼ , is called the kernel of f. The kernels K of homomorphism of a given

4

S. Ullah, X.Y. Li and M.T. Hussain et al. / Journal of Information Security and Applications 48 (2019) 102366

type of algebraic structure are naturally equipped with some structure such as Abelian group, vector spaces as well as modules [46]. An isomorphism is a bijection with respect to a group structure, it does not matter we first multiply and take the image or take the image and then multiply. Definition 1. In scheme [39], let us suppose that two plaintexts m1 , m2 two corresponding ciphertexts c1 = Encrypt (m1 ) = (x1 , y1 ) and c2 = Encrypt (m2 ) = (x2 , y2 ). We can compute; (x1 .x2 , y1 .y2 ) = (α1k .α2k mod ( p), α1m .β1k .α2m .β2k modp) = α1k + K2 mod ( p), α1m + m2 mod ( p), β1k + k2 mod ( p)) Thus, we can obtain encryption of the sum of the plaintexts by computing the piecewise product of the ciphertexts. 4.2.1. Noise of addition in ciphertexts An addition noise, the resulting ciphertexts c of the message m are double together such as the noise of addition of ciphertexts c is 2c. 4.2.2. Noise of multiplication in a ciphertexts A multiplication noise, the resulting ciphertexts c of the message m are squaring together such as the noise of multiplication of ciphertexts c is c2 . The homomorphic operation mostly increases the noise in the ciphertexts. The noise of addition and multiplication of ciphertexts c after homomorphic operation Brakerski and Vaikuntanathan [15] developed a noise management technique known as modulus switching. 4.3. Kernel

a sense relevant to that context) if and only if the homomorphism is injective (see injective definition below) [1,2]. Definition 2. Let f be a function, whose domain is a set X. The function f is said to be injective provided that ∀ m, c ∈ X, whenever f (m ) = f (c ), then m = c; that is, f (m ) = f (c ) ⇒ m = c, equivalently, if m = c, then f(m) = f(c). Symbolically, we can write; ∀ m, c ∈ X, f (m ) = f (c ) ⇒ m = c Which is logically equivalents to the contra-positive. ∀ ∼ m, c ∈ X, m = c⇒f(m) = f(c), where m is the set of plaintexts and c is the set of ciphertexts. Definition 3. A map φ : G → H between two groups is a homomorphism if for every g, h ∈ G, φ (g ∗ h ) = φ (g) ∗ φ (h ). Here φ : G → H is defining map of homomorphism, the standard group of order two by the rule are:



ϕ (x ) =

0 i f x is even, 1 i f x is odd

(2)

Lemma 1. Let ϕ : G → H be a homomorphism. (1) ϕ (eG ) = eH , that is ϕ maps the identity in G to the identity in H. (2) ϕ (a−1 ) = ϕ (a )−1 , that is, ϕ maps inverse to inverse. (3) Since K is a subgroup of G, and φ is homomorphism, it is clear that ∀ a, b ∈ K, φ (a), φ (b) ∈ φ (K), also by (2) φ (a−1 ) = φ (a )−1 ∈ φ (K ). Thus φ (K) is subgroup of H. Proof. Let e, is the identity of G and f is the identity of H. To prove ϕ (e ) = f .  Identity Property (1) Let

A kernel is a way, in which we flexibly represent our data samples. The focusing utility of kernel is plaintexts of different size. The kernel trick is the exclusive term of a dot product (.) of x, in which the feature function φ (x) and dot product with a function is called a kernel [2,25,44].

a = ϕ (e ) = ϕ (e ) = ϕ (e.e ) = ϕ (e ).ϕ (e )a.a = f. f = f 2 = f.

k(x, xi ) = φ (x ).φ (xi )

φ (a−1 ) = φ (eG .a−1 ) = φ (eG ).(φ (a ))−1 = eH .(φ (a ))−1 = (φ (a ))−1

(1)

4.4. Kernel function Let X be a plaintexts and function v: X × X → R is called a kernel function. It is used to quantify the similarity between a pairs of  (x and x ) ∈ X. The exclusive term of dot product (.) of x, in which the feature function φ (x) and (.) with a function. Kernel methods owe their name to the use of kernel functions, which enable them to operate in a high-dimensional, implicit feature space without ever computing the coordinates of the data in that space, but rather by simply computing the inner products between the images of all pairs of data in the feature space. This operation is often computationally cheaper than the explicit computation of the coordinates. This approach is called the “kernel trick”. Kernel functions have been introduced for sequence data, graphs, text, images, as well as vectors [48]. The kernel trick avoids the explicit mapping that is needed to get linear learning algorithms to learn a nonlinear function. For all and in the input space, certain functions can be expressed as an inner product in another space. The function is often referred to as a kernel [47]. 4.5. Kernel homomorphism A homomorphism, which fail the injection or one-to-one function, then we apply a kernel homomorphism. The applications of applying a kernel homomorphism are; to measure the degree of the injective function. The kernel of a homomorphism is trivial (in

Since a = f, because f is the identity of H, hence (1) is proved. Inverse Property (2) Let a, b ∈ G such that φ (ab−1 ) = φ (a ).(φ (b−1 )), put a = eG and b = a we have

So it is prove that φ (a−1 ) = φ (a )−1 . 4.6. Mapping φ : K → X Let X = φ (K ). We check that X is a non empty and closed under products as well as inverses. According to proof (1), X is contains f the identity of H and by (2) X is closed under inverses and by definition X is almost is closed under products. So X is a sub-group. Proposition 1. In scheme [1], let us suppose that H = x, then |H | = |x|, where if one side of this equality is infinite, so is the other, more specially a) If |H | = n < ∞, then xn = 1 and 1, x, x2 , . . . ., x(n−1 ) are all the distinct elements of H, and b) If |H | = ∞, then xn = ∞, then xn = 1, ∀ n = 0 and xa = xb , ∀ a = b ∈ Z. Proof (a): Let |x| = n and first consider the case when n < ∞. The elements 1, x, x2 , . . . ., x(n−1 ) are distinct because if xa = xb , with say, 0 ≤ a < b < n, then x(b−a ) = x0 = 1, contrary to n being the smallest positive power of x giving the identity. Thus H has at least n elements and it remains to show that these are all of them. Proof (b): Next suppose |x| = ∞ so no positive power of x is the identity. If xa = xb , for some a and b, say a < b, then x(b−a ) = 1, a contradiction. Distinct powers of x are distinct elements of H so |H | = ∞, is the complete proof of the proposition. Proposition 2. In scheme [1] a sub-group N of the group G is normal if and only if it is the kernel of some homomorphism.

S. Ullah, X.Y. Li and M.T. Hussain et al. / Journal of Information Security and Applications 48 (2019) 102366

Proof. If N is the kernel of the homomorphism ϕ , then proposition 1 shows that the left cosets of N are the same as the right cosets of N.  4.7. Malleability Malleability is cryptographic algorithm property, in which adversary transfer cipher text into another cipher texts and decrypt it to generate plain text. The encryption of message (m) is possible to generate cipher text and apply some known function (f) for decryption of m, such as f(m), without knowing of message m. The malleability property is failed for general purpose cryptosystem. For example bank account holder want to transfer amount “TRANSFER 0 0 0 010 0.0 0 TO ACCOUNT #199” to account #199. If an attacker modify the transfer message on the wire and guess the format of un-encrypted message, and he/she be able to change the transaction amount e.g. “TRANSFER 010 0 0 0 0.0 0 TO ACCOUNT #227”. So malleability does not have the property that read the encrypted message before and after tampering. To remove this limitation of malleability, homomorphic encryption schemes are proposed to restrict some function (f) without any learning of the contents of the message m [49].

5.4. Kernel homomorphic encryption (Ker-HE) Our proposed Ker-HE scheme based on ECDLP, which consists of four polynomial time algorithms (kernel homomorphic key generation, kernel homomorphic encryption, kernel homomorphic decryption and kernel homomorphic evaluation). The defined tuples of the proposed algorithm are KH.KeyGen, KH.Enc, KH.Dec, and KH.Eval, which take probabilistic polynomial time. The plaintexts and ciphertexts belong to 3X2 vector space under multiplication. The group operation and the group representation should be efficient computations over 3X2 vector space. In our paper we define a homomorphism such as ∂ : Eec(r)mod(n) → Dec(c)mod(n) and the ideal set of kernel homomor phism for encryption and decryption “∂ ” can be define as  = {r ∈    −1 −1 Enc (r ) : ∂ (r ) = c} and  = {c ∈ Dec (c ) : ∂ (c ) = r} the general equation of kernel homomorphism are given below in Eq. (3). Applied kernel are given in Eq. (3). In Eqs. (4) and (5), we get the original message r after decrypting a ciphertexts. When we encrypt two pieces of message r such as r1 and r2 , we will get the resulting ciphertexts (c1 and c2 ), from Eqs. (5) and (10) and in decryption we get plaintexts from (9) and (11).

r1 = ∂ −1 (eDec(c1 )mod (n ) ),

(3)

where e ⊆ Dec(c1 )mod(n)

4.8. Motivation Without noises and tampering the plaintexts and ciphertexts are the need of day-to-day communication. Therefore, we need to apply such functions (kernel and kernel homomorphic function) to avoid this type of limitations. Our scheme is more suitable for rescind the tampering and errors as well as computation. 5. Proposed scheme

r2 = ∂ −1 (eDec(c2 )mod (n ) )

(4)

 c=

ker.(r1  r2 ) = ker.(r1 )  ker.(r2 ). ker.(r1 ∗ r2 ) = ker.(r1 ) ∗ ker.(r2 ).

c1 = ∂ (Enc (r1 )mod (n ))

(5) (6)

where ∂ (r1 ∈ Enc(r)mod(n))

The main tuples of the proposed scheme are defined below:

c2 = ∂ (Enc (r2 )mod (n ))

(7)

where ∂ (r2 ∈ Enc(r)mod(n))

5.1. Notation description The basics notations of our scheme are: E nc ←− E ncryption, encryption is used to encrypt plaintexts into ciphertexts, Dec ←− Decryption, decyption is used to decrypt ciphertexts into plaintexts. Plaintexts is represented by m, r and ciphertexts is by c, 2n is the total length of cipher’s and plainer’s, where 2 is the bits rep resentation, which are belong to {0, 1} & n = 160 bits of ECC, r  is the element of the set of Encryption r and c is the element of the set of Decryption of c, ker is the kernel function (∂ ) the encryption process of the plaintexts, ker −1 or ∂ −1 stands for decryption of ciphertexts c. The homomorphism operation is done by two operators ( & ∗ ). There are four keys, public ys , private xs , secret sk and evaluation evk, where ys is used for encryption, sk is used for decryption and evalevk is used for kernel homomorphism evaluation, where evk is compute from ciphertexts, public and kernel function(ker). The secret key (sk ) is made from h(γ .ys mod(n)), where h is the hash value(use to control the exceeding length of the product of the secret parameter γ and public key (ys )) under modules n. The ECC point (g), is used to secure from eavesdropping. 5.2. Encryption Our scheme encryption c ∈ Dec(c) mod(n).

5

setup

is

∂ : Enc(r) mod(n) →

5.3. Decryption Our scheme decryption setup is ∂ −1 : Dec (c )mod (n ) → r ∈ Enc (r )mod (n ).

c = ∂ (Enc (r1 )mod (n ))  ∂ (Enc (r2 )mod (n ))

(8)

∂ −1

Using as a homomorphism in Eqs. (3) and (4) for decryption. Where c1 , c2 ∈ Dec(c)mod(n), such that ∂ −1 c1 = r1 , ∂ −1 c2 = r2 and r1  r2 = r, and r1 ∗ r2 = r.

 ∂ −1 .(c1  c2 ) = ∂ −1 (c1 )  ∂ −1 (c2 ). r= ∂ −1 .(c1 ∗ c2 ) = ∂ −1 (c1 ) ∗ ∂ −1 (c2 ).

(9)

From Eq. (6) and (7), we can write,

c = c1  c2 OR c = c1 ∗ c2

(10)

From Eq. (3) and (4), we can write,

r = r1  r2 OR r = r1 ∗ r2

(11)

Note: If we take  of r1 with r2 and c1 with c2 and vice-versa, without kernel it will considered noises. 5.5. Kernel homomorphic algorithm In our scheme algorithm, we follow the application of bijective function(as shown in Fig. 7), in which every elements of domain gives exact one element in range. Therefore, we will safe from failure and noises which arises during encryption and decryption by using kernel and kernel homomorphism. It also prevent the noises or errors and control the cipher’s exceeding lengths. The security of our scheme is based on ECDLP, which are hard for eavesdropper to break and he/she is able to access the original message contents and also it reduce computation and communication costs due to small key size of elliptic curve. The main phases of our scheme are given below:

6

S. Ullah, X.Y. Li and M.T. Hussain et al. / Journal of Information Security and Applications 48 (2019) 102366 Table 2 NIST recommended key size of ECC and RSA in bits and its security level [51].

5.5.1. Kernel homomorphic key generation phase In kernel homomorphic key generation phase, we generate keys such as public key, private key as well as a secret key. The detailed is given in Algorithm 1. Algorithm 1 Kernel homomorphic key generation algorithm. KH.KeyGen : User chooses private key and compute his public key. User randomly chooses an integer xs as his private key and computes his public key ys as ys = xs .g mod (n ). secret key sk = h(γ .ys mod n ), where γ∈ 2: Compute {0, 1, 2, 3, . . ., n − 1} and h is secure HASH function. 1:

3:

KH.Enc takes the public key ys and encrypt a message r and produce a ciphertext c.

4:

KH.Dec takes the secret key sk and ciphertext and produce original message r.

5:

KH.E val takes the public key ys an arithmetic circuit f over ring and ciphertext (c1 , c2 , c3 , . . .. . .., cn ), where n is the number of input to f and output c f is ciphertexts.

5.5.2. Kernel homomorphic encryption (KH. Enc) phase In this phase we select message r randomly and compute ciphertexts c1 and c2 by applying encryption technique with public key pk. (Algorithm 2). Algorithm 2 Kernel homomorphic encryption algorithm. Generate a random r ← {0, 1, 2, 3, . . ., Fq } mod (n ). 2: Compute ciphertext c1 ← (Enc pk )r1 mod (n )). 3: Compute ciphertext c2 ← (Enc pk )r2 mod (n ). 4: Send c1 and c2 to kernel homomorphic decryption phase. 1:

5.5.3. Kernel homomorphic decryption (KH.Dec) phase In this phase we decrypt the ciphertexts c1 and c2 by applying decryption technique with secret key sk.

5.5.4. Kernel homomorphic evaluation (KH.Eval) phase In this phase we apply evaluation key, kernel (ker) and ciphertexts (ci ), to evaluate the originality of the pliantexts r.

S.No

ECC

RSA

Security in Bits

1 2 3 4 5

160 224 256 384 512

1024 2048 3072 7680 15,360

80 112 128 192 256

6.1. Discrete logarithm problem (DLP) Let G be a group of prime order q and g be a generator of group G. Then, DLP can be defined as: Given that (P, ag) for a random a ∈ Z ∗p , to find a is the desire DLP. 6.2. Elliptic curve point operations Elliptic curve is used for sufficient security parameter, to find large value of integer k is hard for eavesdropper due to the hardness of ECDLP. Let q be large prime number, where q ≥ 2160 and Fq is a finite field of order q (Table 1). The equation form of elliptic curve E over finite field Fq is defined below:

y2 = (x3 + ax + b) mod (q )

(12)

(4a3 + 27b2 ) = 0

(13)

The elements of field arithmetic Fq with order n, the binary elliptic curve point multiplication (ECPM) and elliptic curve point addition (ECPA). ECPM can be define as nP, which are required 224 points doubling and average 112 points addition for scalar n 224 bits [50]. Our proposed scheme analysis are compared with [5,29,40] schemes. The operation of the scheme [5] is exponentiation in the form of xk mod n2 , where k and n having the same key size in bits and schemes [29,40] having Elgamal structure it also have two exponentiation such as xk mod n2 , where k is any integer and the length of k is equal to the length of n2 in bits. Our proposed scheme have the structure of ECDLP and its security is more efficient as compared to Diffie-Hellman and Elgamal structure [5,29,40] due to ECPM. Table 2 show the efficiency of the proposed scheme. 6.3. Kernel homomorphic encryption

6. Analysis of kernel homomorphic encryption The analysis of KHE scheme is given below:

In Ker-HE we take a generated key KHE and encrypt the plaintexts ri using encryption on the public key of the encrypter known

Table 1 Key Terms & Symbols. Symbol

Description

Symbol

Description

q Enc/Dec GF h ECPM G Ek /Dk K/KH O Om

A large prime number where q ≤ n Encryption/Decryption Field Hash Function Elliptic Curve Point Multiplication Group Symmetric encryption /decryption algorithm with private key k Kernel/Kernel Homomorphic Operations Multiplication Operations EC-Multiplication Multiplication time Multiplication time consumption

R n O(r) ECDLP ECPA g m, r c/cf Oe Od

Ring A large prime number, where n ≥ 2160 A set of field elements Elliptic Curve Discrete Logarithm Problem Elliptic Curve Point Addition A base point of elliptic curves Fq with order n Plaintexts Ciphertext Encryption operation decryption operation EC-Exponentiation Exponentiation time Exponentiation time consumption

1 τ1  τ1

2 τc  τc

S. Ullah, X.Y. Li and M.T. Hussain et al. / Journal of Information Security and Applications 48 (2019) 102366

7

Fig. 8. Apply ∂ as a kernel Homomorphism.

Fig. 11. Bits size comparison of MUL with Enc and EXP for Encryption.

Fig. 9. Flow of Kernel Homomorphic Encryption.

Fig. 10. Flow of Kernel Homomorphic Decryption. Fig. 12. Bits size comparison of MUL with Dec and EXP for Decryption.

as ys . A user use his public key ys with homomorphic encryption and evaluated the ciphertexts. In evaluation f is used as a kernel function, c as a cipher’s and KHE as a Ker-HE.The flow of Ker-HE is given in Fig. 9, and the function flow is shown in Fig. 8. The analysis of kKer-HE using different types of operations such as MUL, EXP, and Enc is shown in Fig. 9. 6.4. Kernel homomorphic decryption In kernel Homomorphic decryption we take a generated key KHD as a kernel decryptor key and decrypt the ciphertexts ci using homomorphic decryption on the secret key sk of the decrypter. A user use the secret key sk with homomorphic decryption and evaluated the original plaintexts. During decryption evaluation, we use ker as a kernel function, to evaluate the original plaintexts, else ⊥. The flow of kernel homomorphic decryption is given in Fig. 10, and the algorithmic representation are given in Algorithm 3. Algorithm 3 Kernel homomorphic decryption algorithm. Compute r1 ← (Decsk (c1 )) mod (n ). Compute r2 ← (Decsk (c2 )) mod (n ). 3: Send (r1 and r2 ) to kernel homomorphic evaluation phase. 1:

2:

The analysis of kernel homomorphic decryption using different types of operations such as MUL, EXP1 , and Dec is shown in Fig. 11. (Algorithm 4). 1 A great achievement of our proposed scheme is that the exponentiation(EXP) computation become to zero. Therefore our scheme is much faster as compared to

Algorithm 4 Kernel homomorphic evaluation algorithm. Compute E valevk ← ys .ker.ci . Compute c ← (c1  c2 ) mod (n ). 3: Compute c ← (E valevk (ker, ci ) mod (n )), evk is the evaluation key, ker is the kernel function and ci is a ciphertexts. 4: Check r ← ∂ −1 . (c ) mod (n ). 5: Output r, else invalid (⊥ ), reject. 1:

2:

6.5. Kernel homomorphic evaluation National Institute of Standard and Technology (NIST) [51] recommended key size of ECC and RSA having the same security level in bits. RSA is based on Integer Factorization Problem (IFP) and ECC is based on ECDLP. The main difference ECC can take smaller input parameters to solve ECDLP rather than RSA, and RSA take full exponential time to solve IFP, for providing equal level of security [51], for example 112 bits of security level, ECC and RSA keys size are shown in Table 2. Table 2 shows same security level of ECC-224 bits which provides same security as compared to RSA-2048 and scheme G. Castagnos 1348-bits [29,52]. The major operation of C. Guilhem and L. Fabien [29] are 12(encryption-5, decryption-7) and our proposed scheme having 8 (encryption-2, decryption-2 and multiplication-4), in encryption and decryption. The same security level with smaller key size of ECC as compared to RSA is more

existing schemes and also in Figs. 11 and 12), we do not show the exponentiation (EXP) graph.

8

S. Ullah, X.Y. Li and M.T. Hussain et al. / Journal of Information Security and Applications 48 (2019) 102366

efficient and its key size are; ECC-160 provide same security to RSA-1024 and ECC-224 provide same security as compared to RSA2048 [52]. Total multiplication of our proposed scheme is 4n, where encryption and decryption take 2 multiplication respectively. The conversion formula from 10 kb message size into bits is given below:

Table 3 Bits size comparison of MUL with Enc and EXP for Encryption.

MS in bits = IbS + 10 ∗ 1kb

Table 4 Bits size comparison of MUL with Enc and EXP for decryption.

(14)

Where MS=Message Size, IbS=Input bits Size, kb=kilobytes, 1kb=1024 bits Theorem 1. To Prove that the cipher text “c” exist or not? Proof. Now we taking R.H.S, to show the originality of the cipher text “c” r = .((r1 )  (r2 )) = . ( r 1 )  . ( r 2 ) = Enc (r1 )  Enc (r2 ) = Enc (r ) ⇒ Enc (r ) = c. According to the kernel homomorphism, we get the original ciphertexts c.  Theorem 2. To prove that message “r” is valid or not? Proof. Taking L.H.S to prove the message “r” originality, we know that, .c = r = . ( c 1  c 2 ) = .(∂ (Enc (r1 )mod (n )  ∂ (Enc (r2 )) mod (n ))), by using Eq. (8), = .(r1  r2 ) mod (n ) = c by using Eqs. (7) and (10)). By applying a kernel homomorphism “” on c1 , c2 for bounding the length of r, then we will able to get original plaintexts, else invalid credentials. The original plaintexts r, else invalid ⊥. 

Schemes

Input size

Multiplication

Exponentiation

Our Scheme C. Guilhem and L. Fabien [29] E. Bresson et al. [40]

224 1348 2048

1792 2696 4096

00 4044 6144

Schemes

Input size

Multiplication

Exponentiation

Our scheme C. Guilhem and L. Fabien [29] E. Bresson et al. [40]

224 1828 2048

1792 5484 6144

00 7312 8192

failed due to PK obfuscation and padding. Therefore, the performance of our proposed Ker-HE scheme become efficient as compared to scheme [54]. 7. Performance comparison of our scheme with traditional FHE and HE scheme in terms of growing noises In this section, we compare the growing rate of noises during homomorphic encryption w.r.t addition, multiplication and XOR with existing FHE and HE scheme. The noise growing of our scheme w.r.t addition is zero as compared to [6,15,39,41– 43] scheme. The existing schemes [6,15,39,41–43] having the growing rate of noises during homomorphic encryption for addition operation is 2B, l1 (s), 2B, ω(logλ), 2B, ω(logλ), ≤ renc and noise growing of our scheme w.r.t multiplication is 4n as compared to traditional FHE and HE [6,15,39,41–43] schemes. The existing traditional FHE and HE schemes [6,15,39,41–43] having the growing rate of noises during homomorphic encryption for multipli

6.6. Kernel homomorphism and garbled circuits FHE and Garbled Circuits (GC) [58] are two cryptographic protocol that enables two-party secure communications. In this communication, the encrypted data process without leaking any information. For processing large amount of data in cloud existing FHE scheme is extremely inefficient due to impracticality. Otherwise GC having the efficiency, but it cannot re-used one time program [53]. In X.A. Wang et al. [54], proposed the concept of re-usable garbled gates [56] for new fully homomorphic encryption service, in which the author removed the re-built error during different inputs from client to cloud [54,55]. Now the lack of X. A Wang scheme is that, the re-usable circuit private, public key garbling is unattainable due to impossibility of public key re-usable garbled circuit [57]. To ensure public key re-usability w.r.t to private and public key garbling, we proposed Ker-HE scheme(see Section 5). In scheme [59], FHE under homomorphic operation are usually achieved by polynomial (addition, multiplication) and bootstrapping. The bootstrapping process contains high homomorphic decryption operation. Therefore, it require a large ciphertext module to prevent decryption noises/errors. For example a 10k database in commercial cloud server required a hundreds of polynomials addition and multiplications [59]. The existing FHE scheme is not efficient due to large ciphertexts modules. Therefore, our proposed Ker-HE scheme use multiplication and exclusive OR operations to revoke the ciphertext exceeding size and noises by using kernel and kernel homomorphism. The existing re-usable GC scheme [54] padded input transformation into decryption phase. During decryption, when the padding is add the size of ciphertext increased and obfuscate the public key (PK). The padding makes noises and disturb a whole system and its communication become



cation is xl , B2 , 2 p +2 , B2 , 2 p +2 , ≤ (renc )2 . The noise growing of our scheme w.r.t XOR is c1 c2 as compared to traditional FHE and HE [6,15,39,41–43] schemes. The existing traditional FHE and HE schemes [6,15,39,41–43] have the growing rate of noises during homomorphic encryption for XOR operation is a + b − 2ab, a + b − 2ab, −, (HE.Decs (c1 )  HE.Decs (c2 )), −, (X  Y ). The details are given in Table 5. 8. Computation time Our proposed scheme analysis are compared with [29,40] schemes. The calculated time for performing encryption and decryption in ms for all schemes. The most costly operations in proposed and existing schemes are ( 1 , 2 , Om , Oe , Od ). Our proposed scheme have the structure of ECDLP and its security is more efficient as compared to Diffie-Hellman and Elgamal structure [29,40]. The calculated cost of operations ( 1 , 2 , Om , Oe , Od ) and consumed time (τ 1 , τ c ) under Infineon’s SLE66CUX640P [61,62] is 83ms and 220ms respectively. The computational cost is computed from Eq. (15), analysis is given in Table 6 and results are shown in Fig. 13.

Computation time = ( 1 ∗ τ1 ) + ( 2 ∗ τc )

(15)

9. Noises complexity In this section, we compare our scheme with existing [6,15,39,42,43] schemes, and analyze how much we reduce the numbers of noises w.r.t addition, multiplication and exclusive or () (see Table 5).

S. Ullah, X.Y. Li and M.T. Hussain et al. / Journal of Information Security and Applications 48 (2019) 102366

9

Table 5 The growth of noises during homomorphic encryption w.r.t Addition, Multiplication and XOR. Schemes

Noises growth Addition

Multiplication

Our Scheme B. Zvika, et al. [6] B. Zvika, et al. [41]

l1 (s) 2B

4n xl B2

D. Marten et al. [42] B. Zvika and V. Vinod [15]

ω(logλ)

2p B2

C. J. Hee and D. Stehle [43] M. Rebecca [39]

ω(logλ)

2B

≤ 2renc



XOR c 1 c 2 a + b − 2ab a + b − 2ab

+2

HE.Decs (c1 ) HE.Decs (c2 )



2 p +2 ≤ (renc )2



( X Y )

Table 6 Computational time comparison . Schemes

MUL and EXP times

Computational time of Mul and EXP

O Om Oe Od

1

2

τ1

τc

τ1

τc

4 2 2

-

83 83 83

-

332 166 166

-

C. Guilhem and L. Fabien [29]

Oe Od

2 3

3 4

83 83

220 220

166 249

660 880

E. Bresson et al. [40]

Oe Od

2 3

3 4

83 83

220 220

166 249

660 880

cline2-8 Proposed scheme

Input size with major operations

1. B. Zvika, et al.Schemes In this [6,15] schemes the analyzing steps within FHE:Add, FHE:Mult, SwitchKey and Scale:steps, in which the number of noises of each step are given below: FHE:Add: For any reasonable parameters n choice is suitable FHE:Mult: Let ciphertexts c1 & c2 under secret key sj and modulus qj , then noises becomes ei = [Lci (s j )]q j , where Lci (x ) is the dot product of ci , x. Now the length of noises of ciphertexts c1 and c2 is B and the noise of c3 exceed to γ R .B2 for linear equation and for the number of noises of non-quadratic is 2B. FHE:Refresh:  In this  step the new noise length becomes to at  nj + 1 most B + 2γR .Bx . .log q j . d j . 2 FHE:Scale: The ciphertext under the key s j−1 for modulus q j−1 . 2. D. Marten et al., [42] When the length of X0 is greater than the length of 2r, noises become arise. 3. C. J. Hee and D. Stehle [43] The noises arise, when the magnitude of each fresh noise r ≥ 2ρ .





4. M. Rebecca [39] The author determine the maximum depth of an arbitrary arithmetic circuit C such that ψ = C (ψ1 , . . . .ψn ) still lies within FI . If at each level of computation in a circuit, the length of the ciphertext grows with noise, we can establish a maximum depth d for a computable circuit that will produce a decryptable ciphertext. 5. Wang, X. A. [54] In this scheme the publishing of the public key is impossible according to the existing re-usable garbled circuit [57] scheme, and also the growing rate of noises for different types of gates (AND, OR, & XOR). • AND Gate The re-usable garbled gates are generated using AND gate 0 , C 0 , C 0 , C 1 ) its noises becomes (c c c , for the ciphers (C00 1 2 3 01 10 11 0 = (C , C , C ), C 0 = c1 c2 c3 , c1 c2 c3 , c1 c2 c3 ). Where C00 1 2 3 01 0 = (C , C , C ), C 1 = (C , C , C ). In AND gate, the (C1 , C2 , C3 ), C10 1 2 3 1 2 3 11 author take these ciphers as PK. The function of re-usable garbled gates is fail due to impossibility of PK [57]. To ensure public key impossibility, we proposed kernel homomorphic encryption protocol. • OR Gate The re-usable garbled gates generation using OR gate for the ciphers (D000 , D001 , D010 , D111 ) its noises becomes (D1 D2 D3 , D1 D2 D3 , D1 D2 D3 , D1 D2 D3 ). Where D000 = (D1 , D2 , D3 ), D001 = (D1 , D2 , D3 ), D010 = (D1 , D2 , D3 ), D111 = (D1 , D2 , D3 ). These ciphers increase the noises and become computation due to impossibility of public key. In our proposed scheme noises rate w.r.t OR gate is (c1 c2 ), which is more efficient as compared to existing schemes. • XoR Gate The re-usable garbled gates generation using XOR gate for 0 , E 0 , E 0 , E 1 ) its noises becomes (E E E , the ciphers (E00 1 2 3 01 10 11 E1 E2 E3 , E1 E2 E3 , E1 E2 E3 ).From Table 6, we say that the XOR gate of [54] scheme have high computation as compared to our proposed kernel homomorphic scheme (c1 c2 ). Our proposed scheme noises rate w.r.t XOR gate operation is c1 c2 , which is more efficient as compared to [54] scheme.

Fig. 13. Computational time comparison .

10

S. Ullah, X.Y. Li and M.T. Hussain et al. / Journal of Information Security and Applications 48 (2019) 102366 Table 7 Performance analysis. Schemes

Our Scheme C. Guilhem and L. Fabien [29] E. Bresson et al. [40]

Input Size %age

94.53% 55.41% 50.04%

6. Our Scheme In our scheme the number of noises depends on c1 c2 and r1 r2 , where c1 and c2 are the noises of the ciphertexts and r1 and r2 are the noises of the plaintexts. Without applying the kernel homomorphism the noises rate increases. Therefore, we apply a kernel and kernel homomorphism to control it, and also from Eqs. (3)–(11) it is clear that the exceeding size or length of noises or error are controlled by kernel homomorphism, because it uses the concept of the bijective function. In which the plaintexts and ciphertexts belong from own accurate domain and range. If they cross the length and cannot match with the domain of the plaintext and the ciphertexts length does not match with their own range of the cipher’s then the kernel homomorphism will discard it and our scheme will be safe from arsing noises. The efficiency of our proposed scheme w.r.t encryption is 79.12% and w.r.t decryption is 86.64% under the multiplication operation and under the exponentiation operation it is 100%. The efficiency of the existing scheme [29] w.r.t encryption under multiplication is 68.59% and exponentiation is 60.30%, and decryption under multiplication is 59.13% and exponentiation is 66.94%. And existing scheme [40] w.r.t encryption under multiplication is 52.28% and exponentiation is 39.69%, and decryption under multiplication is 54.21% and exponentiation is 33.05% respectively. The performance efficiency in percentage is calculated from formulae below.

P E in %age =

|T . size| − |S. size| T . size

∗ 100

(16)

Where PE stands for Performance Efficiency, T for Total, S for scheme and %age for percentage. We calculate PE w.r.t to three terms “Input Size”, “Encryption” and “Decryption” (Table 7). • Input Size In our proposed scheme PE in the terms of input size is 94.53% as compared to existing scheme. The PE of the existing schemes are 55.41% and 50.04% respectively (see Table 7). • Encryption In our proposed kernel homomorphism scheme PE in the term of encryption(MUL) is 79.12% and existing schemes it is 68.59% and 52.28%. In term of encryption(EXP) PE of our proposed kernel homomorphism scheme is 100% and existing scheme 60.30% and 39.69% respectively (see Table 7). • Decryption In our proposed kernel homomorphism scheme PE in the term of decryption(MUL) is 86.64% and existing schemes it is 59.13% and 54.21%. In term of decryption(EXP) PE of our proposed kernel homomorphism scheme is 100% and existing scheme 66.94% and 33.05% respectively (see Table 7). 10. Security properties Security is an important feature of homomorphic encryption scheme. To ensure security we considering it, that the secrecy δ as a kernel function and ∂ as a kernel homomorphism that the client send to cloud. As we have seen, that the encryption of the function δ and public key ys encrypt a message r and produce a ciphertext

Encryption

Decryption

τ1

τc

τ1

τc

79.12% 68.59% 52.28%

100% 60.30% 39.69%

86.64% 59.13% 54.21%

100% 66.94% 33.05%

c. The client sends c to the cloud and sender send the message to receiver. It is important that during encryption the contents of r does not reveal any information of the coefficients. The secrecy of the scheme relies on the hardness of an open ECDLP problem. Some security properties are: 10.1. Integrity 



An integrity is the tampering of plaintexts (m, r) into (m , r ) is infeasible for attacker due to the random selection of an integer of private key xs and point multiplication of ECC (g). 10.2. Confidentiality The function of encryption is to provide confidentiality [60]. If eavesdropper try to get secret and private key (sk , xs ), but computing of these two keys is computationally hard due to ECDLP. By using ECDLP it is difficult for eavesdropper to get Sk &Xs 10.3. Un-forgeability To compute secret key sk from ys = xs .g is computationally hard of attacker to solve ECDLP. So un-forgeability property is hold. 11. Applications In real world scenario, when TWO parties are communicating to each other by using cloud platform or electronic platform, than KHE scheme is used to generate the exact cipher’s and revoke the noises. 11.1. Non-malleability KHE scheme is fully opposite to malleability. It apply some known function for decryption without knowing the content of the message m and adversary is unable to get the original plain text (See section E). 11.2. Control input and output size The applied functions of KHE scheme are used to control the exceeding input and output size during encryption and decryption and provide the exact length of the cipher’s and plainer’s. 12. Discussion In encryption and decryption, the failure of mathematical function known as injective function (see fig. 6), from which we want to get ciphertexts from plaintexts and in decryption we want to get plain-texts from ciphertexts. Therefore the usage of homomorphism is the best solution of this problem. But from literature review(see Section 4), we study different scheme of homomorphism [5,6,8,9,11,12,15,18,29,33–40,42,43]. Our main focus was on the prevention of exceeding size of ciphertexts, noises during homomorphic evaluation. Once increase the input or out size it will directly increased the size of computation and communication overheads.

S. Ullah, X.Y. Li and M.T. Hussain et al. / Journal of Information Security and Applications 48 (2019) 102366

Therefore, our projected plan of kernel homomorphism is more suitable for cloud computing and for communicated environments (such as e-voting system, PIR and e-payment system etc). The cloud will be safe from extra input bits size and communicating environments will be safe from malleability and noises or errors. The correctness of kernel and kernel homomorphism is based on our proposed algorithm. In this algorithm we take two functions one is kernel function and another one kernel homomorphism function. When we comapre the bit size of MUL with Enc and EXP for encryption and decryption, our scheme is more suitable for lighted weighted environments due to small key size and decrease the growing rate of noises during homomorphic encryption w.r.t Addition, Multiplication and XOR (see Table 3–5).

13. Concluded remarks Our proposed scheme is used to prevent noises or errors during decryption and resolve the failure of injection function of homomorphism by using kernel function and kernel homomorphism. These functions are used to control the exceeding size of the cipher’s and remove noises [9] during decryption. The performance of our proposed scheme is 79.12% and 86.64% in multiplication operation during encryption and decryption respectively. The efficiency of exponentiation operation of our scheme is 100% as compared to existing schemes. Our scheme is capable to prevent meallability, noises or errors, and exceeding length of cipher’s during plaintexts encryption and ciphertexts decryption. We successfully gain our goals without noises and it also control the exceeding ciphertexts size during decryption. when the size of ciphertexts exceeds, it will cause failure of the whole system and communicating parties can not communicate with each other. Our scheme is also more appropriate in the feature of security and computations overheads.

14. Future work In future, it is openly challenge for researcher to make generalized fully dynamic Multi-Target Homomorphic Encryption using ∞ − hop with correctness and compactness based on HECDLP. Declaration of Competing Interest We wish to confirm that there are no known conflicts of interest associated with this publication and there has been no significant financial support for this work that could have influenced its outcome.

Acknowledgment This work is supported in part by NSF China under Grant No. 61572281, No. 61472218, No. 61502271 and is partially supported by China National Funds for Distinguished Young Scientists with No. 61625205, Key Research Program of Frontier Sciences, CAS, No. QYZDYSSW-JSC002, NSFC with No. 61520106007, NSF ECCS1247944, NSF CMMI 1436786, and NSF CNS 1526638. Helpful discussion with Muhammad Ajmal (PhD scholar in Mathematics) and Muhammad Wasif Sardar (Assistant Professor) are appreciated. The author also thankful to anonymous reviewer for their comments.

Supplementary material Supplementary material associated with this article can be found, in the online version, at doi:10.1016/j.jisa.2019.102366.

11

References [1] Dummit DS, Foote RM. Abstract algebra (Vol. 3). Hoboken: Wiley; 2004. [2] Bergman S. The kernel function and conformal mapping (Vol. 5). Am Math Soc.; 1970. [3] Needham RM, Schroeder MD. Using encryption for authentication in large networks of computers. Commun ACM 1978;21(12):993–9. [4] Sharma I. Fully homomorphic encryption scheme with symmetric keys. 2013. arXiv:1310.2452. [5] Paillier P. Public-key cryptosystems based on composite degree residuosity classes. In: International conference on the theory and applications of cryptographic techniques. Berlin, Heidelberg: Springer; 1999. p. 223–38. [6] Brakerski Z, Gentry C, Vaikuntanathan V. (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans Comput Theory (TOCT) 2014;6(3):13. [7] Wu DJ. Fully homomorphic encryption: Cryptography’s holy grail. ACM Crossroads 2015;21(3):24–9. [8] Rivest RL, Adleman L, Dertouzos ML. On data banks and privacy homomorphisms. Found Secure Comput. 1978;4(11):169–80. [9] Gentry C, Boneh D. A fully homomorphic encryption scheme (Vol. 20, No. 09). Stanford: Stanford University; 2009. [10] Van Tilborg HC, Jajodia S. Encyclopedia of cryptography and security. Springer Science & Business Media; 2014. [11] Gentry C, Halevi S, Peikert C, Smart NP. Field switching in BGV-style homomorphic encryption. J Comput Secur 2013;21(5):663–84. [12] Gentry C, Halevi S. Implementing gentry’s fully-homomorphic encryption scheme. In: In Annual international conference on the theory and applications of cryptographic techniques. Berlin, Heidelberg: Springer; 2011. p. 129–48. [13] Harper M. Fully homomorphic encryption. Mathematics Department of Washington; 2014. Tech. rep., technical report. [14] Coron JS, Mandal A, Naccache D, Tibouchi M. Fully homomorphic encryption over the integers with shorter public keys. In: Annual cryptology conference. Berlin, Heidelberg: Springer; 2011. p. 487–504. [15] Brakerski Z, Vaikuntanathan V. Efficient fully homomorphic encryption from (standard) LWE. SIAM J Comput 2014;43(2):831–71. [16] Armknecht F, Katzenbeisser S, Peter A. Group homomorphic encryption: characterizations, impossibility results, and applications. Des Codes Cryptogr 2013;67(2):209–32. [17] Moore C, O’Neill M, O’Sullivan E, Dorz Y, Sunar B. Practical homomorphic encryption: A survey. In: 2014 IEEE international symposium on circuits and systems (ISCAS). IEEE; 2014. p. 2792–5. [18] Naehrig M, Lauter K, Vaikuntanathan V. Can homomorphic encryption be practical?. In: Proceedings of the 3rd ACM workshop on cloud computing security workshop. ACM; 2011. p. 113–24. [19] Wang W, Hu Y, Chen L, Huang X, Sunar B. Exploring the feasibility of fully homomorphic encryption. In: IEEE transactions on computers, vol. 64; 2015. p. 698–706. [20] Lindner R, Peikert C. Better key sizes (and attacks) for LWE-based encryption. In: Cryptographers’ track at the RSA conference. Berlin, Heidelberg: Springer; 2011. p. 319–39. [21] Rivest RL, Shamir A, Adleman L. A method for obtaining digital signatures and public-key cryptosystems. Commu ACM 1978;21(2):120–6. [22] ElGamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans Inf Theory 1985;31(4):469–72. [23] Yu A, Lai WL, Payor J. Efficient integer vector homomorphic encryption. 2015. URL: https://courses.csail.mit.edu/6.857/2015/files/yu- lai- payor.pdf [24] Ong CS, Williamson RC, Smola AJ. Hyperkernels. In: In Advances in neural information processing systems; 2003. p. 495–502. [25] Micchelli CA, Pontil M. Learning the kernel function via regularization. J Mach Learn Res 2005:1099–125. [26] Genton MG, 2(Dec). Classes of kernels for machine learning: a statistics perspective. J Mach Learn Res 2001:299–312. [27] Hnich B. Function variables for constraint programming. AI Commun 2003;16(2):131–2. [28] Preneel B. Analysis and design of cryptographic hash functions (Doctoral dissertation. Katholieke Universiteit te Leuven; 1993. [29] Castagnos G, Laguillaumie F. Linearly homomorphic encryption from DDH. In: In cryptographers track at the RSA conference. Cham: Springer; 2015. p. 487–505. [30] Coppersmith D. The data encryption standard (DES) and its strength against attacks. IBM J Res Dev 1994;38(3):243–50. [31] Daemen J, Rijmen V. AES proposal. Rijndael; 1999. [32] Schneier B, Kelsey J, Whiting D, Wagner D, Hall C, Ferguson N. Twofish: a 128-bit block cipher. NIST AES Proposal 1998;15(1):23–91. [33] Henry K. The theory and applications of homomorphic cryptography. University of Waterloo; 2008. Master’s thesis. [34] Sen J. Homomorphic encryption: theory & applications. 2013. arXiv:1305.5886. [35] Brakerski Z, Vaikuntanathan V. Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: In Annual cryptology conference. Berlin, Heidelberg: Springer; 2011. p. 505–24. [36] Fan J, Vercauteren F. Somewhat practical fully homomorphic encryption. In: IACR Cryptology ePrint Archive, 2012; 2012. p. 144. [37] Stehle D, Steinfeld R. Faster fully homomorphic encryption. In: International conference on the theory and application of cryptology and information security. Berlin, Heidelberg: Springer; 2010. p. 377–94. [38] Smart NP, Vercauteren F. Fully homomorphic encryption with relatively small key and ciphertext sizes. In: International workshop on public key cryptography. Berlin, Heidelberg: Springer; 2010. p. 420–43.

12

S. Ullah, X.Y. Li and M.T. Hussain et al. / Journal of Information Security and Applications 48 (2019) 102366

[39] Meissen RM. A mathematical approach to fully homomorphic encryption. 2012. Retrieved from https://digitalcommons.wpi.edu/mqp-all/2446. [40] Bresson E, Catalano D, Pointcheval D. A simple public-key cryptosystem with a double trapdoor decryption mechanism and its applications. In: In International conference on the theory and application of cryptology and information security. Berlin, Heidelberg: Springer; 2003. p. 37–54. [41] Brakerski Z, Gentry C, Vaikuntanathan V. (leveled) fully homomorphic encryption without bootstrapping. In: Proceedings of the 3rd innovations in theoretical computer science conference (ITCS ’12). New York, NY, USA: ACM; 2012. p. 309–25. [42] Van Dijk M, Gentry C, Halevi S, Vaikuntanathan V. Fully homomorphic encryption over the integers. In: Annual international conference on the theory and applications of cryptographic techniques. Berlin, Heidelberg: Springer; 2010. p. 24–43. [43] Cheon JH, Stehle D. Fully homomophic encryption over the integers revisited. In: Annual international conference on the theory and applications of cryptographic techniques. Berlin, Heidelberg: Springer; 2015. p. 513–36. [44] Wand MP, Jones MC. Kernel smoothing. Chapman and Hall/CRC; 1994. [45] Weston J, Elisseeff A, Scholkopf B, Tipping M. Use of the zero-norm with linear models and kernel methods. J Mach Learn Res. 2003:1439–61. [46] LeCun Y, Bengio Y, Hinton G. Deep learning. Nature 2015;521(7553):436. [47] Shawe-Taylor J, Cristianini N. Kernel methods for pattern analysis. Cambridge university press; 2004. [48] Weston J, Elisseeff A, Scholkopf B, Tipping M. Use of the zero-norm with linear models and kernel methods. J Mach Learn Res 2003:1439–61. [49] Markus H, Kunda Z. Stability and malleability of the self-concept. J Personal Soc Psychol 1986;51(4):858. [50] Kasper E. Fast elliptic curve cryptography in openSSL. In: International conference on financial cryptography and data security. Berlin, Heidelberg: Springer; 2011. p. 27–39. [51] Barker E, Barker W, Burr W, Polk W, Smid M. Recommendation for key management part 1: general (revision 3). NIST Spe. Publ. 2012;800(57):1– 147.

[52] Gura N, Patel A, Wander A, Eberle H, Shantz SC. Comparing elliptic curve cryptography and RSA on 8-bit CPUs. In: International workshop on cryptographic hardware and embedded systems. Berlin, Heidelberg: Springer; 2004. p. 119–32. [53] MALLUHI, et al. Method and system for privacy preserving computation in cloud using fully homomorphic encryption. 2019. https://patents.google.com/ patent/US20190 0 07196A1/en. [54] Wang XA, Xhafa Xhafa F, Ma J, Cao Y, Tang D. Reusable garbled gates for new fully homomorphic encryption service. In: International journal of web and grid services, vol. 13; 2017. p. 25–48. [55] Chatterjee A., Aung K.M.M.. Fully homomorphic encryption in real world applications. In: Computer Architecture and Design Methodologies, https://doi.org/ 10.1007/978- 981- 13- 6393- 1_2. [56] Goldwasser S, Kalai Y, Popa RA, Vaikuntanathan V, Zeldovich N. Reusable garbled circuits and succinct functional encryption. In: Proceedings of the forty– fifth annual ACM symposium on theory of computing. ACM; 2013. p. 555–64. [57] Goldwasser S, Kalai YT, Popa RA, Vaikuntanathan V, Zeldovich N. Succinct functional encryption and applications: reusable garbled circuits and beyond. In: IACR Cryptology ePrint Archive, 2012; 2012. p. 733. [58] Yao AC. Protocols for secure computations. In: Foundations of computer science. IEEE, 1982; 1982. p. 160–4. 1982. SFCS’08. 23rd Annual Symposium on. [59] Tan PZ, Ning BL, Xiao YY, Li QL, Yi TD, Xu AW. Secure testing for genetic diseases on encrypted genomes with homomorphic encryption scheme. Secur Commun Netw 2018;2018:1–12 Article ID 4635715. doi:10.1155/2018/4635715. [60] Shamsher U, Xiang-Yang L, Zhang L. A review of signcryption schemes based on hyper elliptic curve. In: 3rd international conference on big data computing and communications; 2017. p. 51–8. 978-1-5386-3349-6/17 2017 IEEE doi:10. 1109/BIGCOM.2017.5151. [61] Ullah R, Umar AI, Amin N. Blind signcryption scheme based on elliptic curves. In: 2014 Conference on information assurance and cyber security (CIACS). IEEE; 2014. p. 51–4. [62] Batina L, rs SB, Preneel B, Vandewalle J. Hardware architectures for public key cryptography. Integrat VLSI J 2003;34(1–2):1–64.