# Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression

- 371 Downloads

## Abstract

In typical applications of homomorphic encryption, the first step consists for Alice of encrypting some plaintext *m* under Bob’s public key \(\mathsf {pk}\) and of sending the ciphertext \(c = \mathsf {HE}_{\mathsf {pk}}(m)\) to some third-party evaluator Charlie. This paper specifically considers that first step, i.e., the problem of transmitting *c* as efficiently as possible from Alice to Charlie. As others suggested before, a form of compression is achieved using hybrid encryption. Given a symmetric encryption scheme \(\mathsf {E}\), Alice picks a random key *k* and sends a much smaller ciphertext \(c' = (\mathsf {HE}_{\mathsf {pk}}(k), \mathsf {E}_k(m))\) that Charlie decompresses homomorphically into the original *c* using a decryption circuit \(\mathcal {C}_{{\mathsf {E}^{-1}}}\). In this paper, we revisit that paradigm in light of its concrete implementation constraints, in particular \(\mathsf {E}\) is chosen to be an additive IV-based stream cipher. We investigate the performances offered in this context by Trivium, which belongs to the eSTREAM portfolio, and we also propose a variant with 128-bit security: Kreyvium. We show that Trivium, whose security has been firmly established for over a decade, and the new variant Kreyvium has excellent performance. We also describe a second construction, based on exponentiation in binary fields, which is impractical but sets the lowest depth record to \(8\) for \(128\)-bit security.

## Keywords

Stream ciphers Homomorphic cryptography Trivium## Notes

### Acknowledgements

We thank Yannick Seurin for informing us about the complete characterization of secure hybrid encryption.

## References

- 1.G. Adj, A. Menezes, T. Oliveira, F. Rodríguez-Henríquez, Computing discrete logarithms in \({\mathbb{F}_{3^{6*137}}}\) using Magma.
*IACR Cryptol. ePrint Arch.***2014**, 57 (2014)zbMATHGoogle Scholar - 2.M. Albrecht, C. Rechberger, T. Schneider, T. Tiessen, M. Zohner, Ciphers for MPC and FHE, in
*EUROCRYPT, Part I*. LNCS, vol. 9056 (Springer, 2015), pp. 430–454Google Scholar - 3.Algorithms, key size and parameters report 2014. Technical report, ENISA (2014)Google Scholar
- 4.F. Armknecht, V. Mikhalev, On lightweight stream ciphers with shorter internal states, in
*FSE*. LNCS, vol. 9054, (Springer, 2015), pp. 451–470Google Scholar - 5.J. Aumasson, I. Dinur, W. Meier, A. Shamir, Cube testers and key recovery attacks on reduced-round MD6 and Trivium, in
*FSE*. LNCS, vol. 5665 (Springer, 2009), pp. 1–22Google Scholar - 6.S. Babbage, A space/time trade-off in exhaustive search attacks on stream ciphers, in
*European Convention on Security and Detection*, vol. 408, (IEEE, 1995)Google Scholar - 7.R. Barbulescu, P. Gaudry, A. Joux, E. Thomé, A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic, in
*EUROCRYPT*. LNCS, vol. 8441 (Springer, 2014), pp. 1–16Google Scholar - 8.M. Bellare, A. Desai, E. Jokipii, P. Rogaway, A concrete security treatment of symmetric encryption, in
*FOCS*, (IEEE Computer Society, 1997), pp. 394–403Google Scholar - 9.C. Berbain, H. Gilbert, On the security of IV dependent stream ciphers, in
*FSE*. LNCS, vol. 4593 (Springer, 2007), pp. 254–273Google Scholar - 10.A. Biryukov, A. Shamir, Cryptanalytic time/memory/data tradeoffs for stream ciphers, in
*ASIACRYPT*. LNCS, vol. 1976 (Springer, 2000), pp. 1–13Google Scholar - 11.M. Bodrato, Towards optimal toom-cook multiplication for univariate and multivariate polynomials in characteristic 2 and 0, in
*WAIFI*. LNCS, vol. 4547 (Springer, 2007), pp. 116–133Google Scholar - 12.J. Borghoff, A. Canteaut, T. Güneysu, E.B. Kavun, M. Knezevic, L.R. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rechberger, P. Rombouts, S.S. Thomsen, T. Yalçin, PRINCE—a low-latency block cipher for pervasive computing applications, in
*ASIACRYPT*. LNCS, vol. 7658 (Springer, 2012), pp. 208–225Google Scholar - 13.J.W. Bos, K.E. Lauter, J. Loftus, M. Naehrig, Improved security for a ring-based fully homomorphic encryption scheme, in
*IMACC*. LNCS, vol. 8308 (Springer, 2013), pp. 45–64Google Scholar - 14.Z. Brakerski, Fully homomorphic encryption without modulus switching from classical GapSVP, in
*CRYPTO*. LNCS, vol. 7417 (Springer, 2012), pp. 868–886Google Scholar - 15.Z. Brakerski, C. Gentry, V. Vaikuntanathan, (Leveled) fully homomorphic encryption without bootstrapping.
*TOCT***6**(3), 13 (2014)MathSciNetCrossRefzbMATHGoogle Scholar - 16.C. Carlet, P. Méaux, Y. Rotella, Boolean functions with restricted input and their robustness; application to the FLIP cipher.
*IACR Trans. Symmetric Cryptol.***2017**(3), 192–227 (2017)Google Scholar - 17.S. Carpov, P. Dubrulle, R. Sirdey, Armadillo: a compilation chain for privacy preserving applications, in
*ACM CCSW*(2015)Google Scholar - 18.A. Chakraborti, A. Chattopadhyay, M. Hassan, M. Nandi, TriviA: a fast and secure authenticated encryption scheme, in
*CHES*. LNCS, vol. 9293 (Springer, 2015), pp. 330–353Google Scholar - 19.M. Chenal, Q. Tang, On key recovery attacks against existing somewhat homomorphic encryption schemes, in
*LATINCRYPT*. LNCS, vol. 8895 (Springer, 2015), pp. 239–258Google Scholar - 20.J.H. Cheon, J. Coron, J. Kim, M.S. Lee, T. Lepoint, M. Tibouchi, A. Yun, Batch fully homomorphic encryption over the integers, in
*EUROCRYPT*. LNCS, vol. 7881 (Springer, 2013), pp. 315–335Google Scholar - 21.I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds, in
*ASIACRYPT*. LNCS, vol. 10031 (Springer, 2016), pp. 3–33Google Scholar - 22.J. Coron, T. Lepoint, M. Tibouchi, Scale-invariant fully homomorphic encryption over the integers, in
*PKC*. LNCS, vol. 8383 (Springer, 2014), pp. 311–328Google Scholar - 23.N. Courtois, W. Meier, Algebraic attacks on stream ciphers with linear feedback, in
*EUROCRYPT*. LNCS, vol. 2656 (Springer, 2003), pp. 345–359Google Scholar - 24.R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack.
*SIAM J. Comput.***33**(1), 167–226 (2003)MathSciNetCrossRefzbMATHGoogle Scholar - 25.C. De Cannière, O. Dunkelman, M. Knezevic, KATAN and KTANTAN—a family of small and efficient hardware-oriented block ciphers, in
*CHES*. LNCS, vol. 5747 (Springer, 2009), pp. 272–288Google Scholar - 26.C. De Cannière, J. Lano, B. Preneel, Comments on the rediscovery of time memory data tradeoffs. Technical report, eSTREAM—ECRYPT Stream Cipher Project (2005). www.ecrypt.eu.org/stream/papersdir/040.pdf. Accessed 21 Dec 2017
- 27.C. De Cannière, B. Preneel, Trivium, in
*New Stream Cipher Designs—The eSTREAM Finalists*. LNCS, vol. 4986 (Springer, 2008), pp. 244–266Google Scholar - 28.I. Dinur, Y. Liu, W. Meier, Q. Wang, Optimized Interpolation Attacks on LowMC.
*IACR Cryptol. ePrint Arch.***2015**, 418 (2015)zbMATHGoogle Scholar - 29.I. Dinur, A. Shamir, Cube attacks on tweakable black box polynomials, in
*EUROCRYPT*. LNCS, vol. 5479 (Springer, 2009), pp. 278–299Google Scholar - 30.Y. Doröz, Y. Hu, B. Sunar, Homomorphic AES evaluation using the modified LTV scheme.
*Des. Codes Cryptogr.***80**(2), 333–358 (2016)MathSciNetCrossRefzbMATHGoogle Scholar - 31.Y. Doröz, A. Shahverdi, T. Eisenbarth, B. Sunar, Toward practical homomorphic evaluation of block ciphers using Prince, in
*WAHC*. LNCS, vol. 8438 (Springer, 2014), pp. 208–220Google Scholar - 32.L. Ducas, D. Micciancio, FHEW: bootstrapping homomorphic encryption in less than a second, in
*EUROCRYPT*. LNCS, vol. 9056 (Springer, 2015), pp. 617–640Google Scholar - 33.S. Duval, V. Lallemand, Y. Rotella, Cryptanalysis of the FLIP family of stream ciphers, in
*CRYPTO*. LNCS, vol. 9814 (Springer, 2016), pp. 457–475Google Scholar - 34.ECRYPT—European network of excellence in cryptology: the eSTREAM stream cipher project (2005). http://www.ecrypt.eu.org/stream/. Accessed 21 Dec 2017
- 35.J. Fan, F. Vercauteren, Somewhat practical fully homomorphic encryption.
*IACR Cryptol. ePrint Arch.***2012**, 144 (2012)Google Scholar - 36.S. Fau, R. Sirdey, C. Fontaine, C. Aguilar, G. Gogniat, Towards practical program execution over fully homomorphic encryption schemes, in
*IEEE International Conference on P2P, Parallel, Grid, Cloud and Internet Computing*, (2013), pp. 284–290Google Scholar - 37.P. Fouque, T. Vannet, Improving key recovery to 784 and 799 rounds of Trivium using optimized cube attacks, in
*FSE*. LNCS, vol. 8424 (Springer, 2013), pp. 502–517Google Scholar - 38.T. Fuhr, B. Minaud, Match box meet-in-the-middle attack against KATAN, in
*FSE*. LNCS, vol. 8540 (Springer, 2014), pp. 61–81Google Scholar - 39.C. Gentry, Fully homomorphic encryption using ideal lattices, in
*STOC*, (ACM, 2009), pp. 169–178Google Scholar - 40.C. Gentry, S. Halevi, N.P. Smart, Homomorphic evaluation of the AES circuit, in
*CRYPTO*. LNCS, vol. 7417 (Springer, 2012), pp. 850–867Google Scholar - 41.C. Gentry, A. Sahai, B. Waters, Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based, in
*CRYPTO*. LNCS, vol. 8042 (Springer, 2013), pp. 75–92Google Scholar - 42.J.D. Golic, Cryptanalysis of alleged A5 stream cipher, in
*EUROCRYPT*. LNCS, vol. 1233 (Springer, 1997), pp. 239–255Google Scholar - 43.T. Graepel, K.E. Lauter, M. Naehrig, ML confidential: machine learning on encrypted data, in
*ICISC*. LNCS, vol. 7839 (Springer, 2012), pp. 1–21Google Scholar - 44.R. Granger, T. Kleinjung, J. Zumbrägel, Breaking ‘128-bit secure’ supersingular binary curves—(or how to solve discrete logarithms in \({\mathbb{F}_{2^{4 \cdot 1223}}}\) and \({\mathbb{F}_{2^{12 \cdot 367}}}\)), in
*CRYPTO, Part II*. LNCS, vol. 8617 (Springer, 2014), pp. 126–145Google Scholar - 45.S. Halevi, V. Shoup, Algorithms in HElib, in
*CRYPTO, Part I*. LNCS, vol. 8616 (Springer, 2014), pp. 554–571Google Scholar - 46.S. Halevi, V. Shoup, Bootstrapping for HElib, in
*EUROCRYPT*. LNCS, vol. 9056 (Springer, 2015), pp. 641–670Google Scholar - 47.J. Herranz, D. Hofheinz, E. Kiltz, Some (in)sufficient conditions for secure hybrid encryption.
*Inf. Comput.***208**(11), 1243–1257 (2010)MathSciNetCrossRefzbMATHGoogle Scholar - 48.J. Hong, P. Sarkar, New applications of time memory data tradeoffs, in
*ASIACRYPT*. LNCS, vol. 3788 (Springer, 2005), pp. 353–372Google Scholar - 49.T. Iwata, New block cipher modes of operation with beyond the birthday bound security, in
*FSE*. LNCS, vol. 4047 (Springer, 2006), pp. 310–327Google Scholar - 50.T. Jakobsen, L.R. Knudsen, The interpolation attack on block ciphers, in
*FSE*. LNCS, vol. 1267 (Springer, 1997), pp. 28–40Google Scholar - 51.A. Joux, C. Pierrot, Improving the polynomial time precomputation of Frobenius representation discrete logarithm algorithms—simplified setting for small characteristic finite fields, in
*ASIACRYPT, Part I*. LNCS, vol. 8873 (Springer, 2014), pp. 378–397Google Scholar - 52.J. Katz, Y. Lindell, Introduction to Modern Cryptography, 2nd edition. Chapman and Hall/CRC Press, Boca Raton (2014)zbMATHGoogle Scholar
- 53.A. Khedr, G. Gulak, V. Vaikuntanathan, SHIELD: scalable homomorphic implementation of encrypted data-classifiers.
*IEEE Trans.*Comput.**65**(9), 2848–2858 (2016)Google Scholar - 54.S. Knellwolf, W. Meier, M. Naya-Plasencia, conditional differential cryptanalysis of NLFSR-based cryptosystems, in
*ASIACRYPT*. LNCS, vol. 6477 (Springer, 2010), pp. 130–145Google Scholar - 55.S. Knellwolf, W. Meier, M, Naya-Plasencia, Conditional differential cryptanalysis of Trivium and KATAN, in
*SAC*. LNCS, vol. 7118 (Springer, 2011), pp. 200–212Google Scholar - 56.K. Lauter, A. López-Alt, M. Naehrig, Private computation on encrypted genomic data, in
*LATINCRYPT*. LNCS (2014)Google Scholar - 57.T. Lepoint, M. Naehrig, A comparison of the homomorphic encryption schemes FV and YASHE, in
*AFRICACRYPT*. LNCS, vol. 8469 (Springer, 2014), pp. 318–335Google Scholar - 58.T. Lepoint, P. Paillier, On the minimal number of bootstrappings in homomorphic circuits, in
*WAHC*. LNCS, vol. 7862 (Springer, 2013), pp. 189–200Google Scholar - 59.M. Liu, Degree evaluation of NFSR-based cryptosystems, in
*CRYPTO*. LNCS, vol. 10402 (Springer, 2017)Google Scholar - 60.P. Méaux, A. Journault, F.X. Standaert, C. Carlet, Towards stream ciphers for efficient FHE with low-noise ciphertexts, in
*EUROCRYPT*. LNCS, vol. 9665 (Springer, 2016), pp. 311–343Google Scholar - 61.A. Maximov, A. Biryukov, Two trivial attacks on Trivium, in
*SAC*, vol. 4876 (Springer, 2007), pp. 36–55Google Scholar - 62.M. Naehrig, K.E. Lauter, V. Vaikuntanathan, Can homomorphic encryption be practical? in
*ACM CCSW*, (ACM, 2011), pp. 113–124Google Scholar - 63.National Institute of Standards and Technology, Recommendation for block cipher modes of operation. NIST Special Publication 800-38A (2001)Google Scholar
- 64.M. Paindavoine, B. Vialla, Minimizing the number of bootstrappings in fully homomorphic encryption, in
*SAC 2015*. LNCS, vol. 9566 (Springer, 2016), pp. 25–43Google Scholar - 65.A. Pincin, A new algorithm for multiplication in finite fields.
*IEEE Trans. Comput.***38**(7), 1045–1049 (1989)MathSciNetCrossRefzbMATHGoogle Scholar - 66.C. Rechberger, The FHEMPCZK-cipher zoo. Presented at the FSE 2016 rump session (2016). http://fse.2016.rump.cr.yp.to/. Accessed 21 Dec 2017
- 67.P. Rogaway, Evaluation of some block cipher modes of operation. Cryptrec (2011). http://web.cs.ucdavis.edu/~rogaway/papers/modes.pdf. Accessed 21 Dec 2017
- 68.N.P. Smart, F. Vercauteren, Fully homomorphic SIMD operations.
*Des. Codes Cryptogr.***71**(1), 57–81 (2014)CrossRefzbMATHGoogle Scholar - 69.Y. Todo, T. Isobe, Y. Hao, W. Meier, Cube attacks on non-blackbox polynomials based on division property, in
*CRYPTO*. LNCS, vol. 10402 (Springer, 2017)Google Scholar - 70.K. Yasuda, A new variant of PMAC: beyond the birthday bound, in
*CRYPTO*. LNCS, vol. 6841 (Springer, 2011), pp. 596–609Google Scholar