Journal of Cryptology

, Volume 31, Issue 3, pp 885–916 | Cite as

Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression

  • Anne Canteaut
  • Sergiu Carpov
  • Caroline Fontaine
  • Tancrède Lepoint
  • María Naya-Plasencia
  • Pascal Paillier
  • Renaud Sirdey


In typical applications of homomorphic encryption, the first step consists for Alice of encrypting some plaintext m under Bob’s public key \(\mathsf {pk}\) and of sending the ciphertext \(c = \mathsf {HE}_{\mathsf {pk}}(m)\) to some third-party evaluator Charlie. This paper specifically considers that first step, i.e., the problem of transmitting c as efficiently as possible from Alice to Charlie. As others suggested before, a form of compression is achieved using hybrid encryption. Given a symmetric encryption scheme \(\mathsf {E}\), Alice picks a random key k and sends a much smaller ciphertext \(c' = (\mathsf {HE}_{\mathsf {pk}}(k), \mathsf {E}_k(m))\) that Charlie decompresses homomorphically into the original c using a decryption circuit \(\mathcal {C}_{{\mathsf {E}^{-1}}}\). In this paper, we revisit that paradigm in light of its concrete implementation constraints, in particular \(\mathsf {E}\) is chosen to be an additive IV-based stream cipher. We investigate the performances offered in this context by Trivium, which belongs to the eSTREAM portfolio, and we also propose a variant with 128-bit security: Kreyvium. We show that Trivium, whose security has been firmly established for over a decade, and the new variant Kreyvium has excellent performance. We also describe a second construction, based on exponentiation in binary fields, which is impractical but sets the lowest depth record to \(8\) for \(128\)-bit security.


Stream ciphers Homomorphic cryptography Trivium 



We thank Yannick Seurin for informing us about the complete characterization of secure hybrid encryption.


  1. 1.
    G. Adj, A. Menezes, T. Oliveira, F. Rodríguez-Henríquez, Computing discrete logarithms in \({\mathbb{F}_{3^{6*137}}}\) using Magma. IACR Cryptol. ePrint Arch. 2014, 57 (2014)zbMATHGoogle Scholar
  2. 2.
    M. Albrecht, C. Rechberger, T. Schneider, T. Tiessen, M. Zohner, Ciphers for MPC and FHE, in EUROCRYPT, Part I. LNCS, vol. 9056 (Springer, 2015), pp. 430–454Google Scholar
  3. 3.
    Algorithms, key size and parameters report 2014. Technical report, ENISA (2014)Google Scholar
  4. 4.
    F. Armknecht, V. Mikhalev, On lightweight stream ciphers with shorter internal states, in FSE. LNCS, vol. 9054, (Springer, 2015), pp. 451–470Google Scholar
  5. 5.
    J. Aumasson, I. Dinur, W. Meier, A. Shamir, Cube testers and key recovery attacks on reduced-round MD6 and Trivium, in FSE. LNCS, vol. 5665 (Springer, 2009), pp. 1–22Google Scholar
  6. 6.
    S. Babbage, A space/time trade-off in exhaustive search attacks on stream ciphers, in European Convention on Security and Detection, vol. 408, (IEEE, 1995)Google Scholar
  7. 7.
    R. Barbulescu, P. Gaudry, A. Joux, E. Thomé, A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic, in EUROCRYPT. LNCS, vol. 8441 (Springer, 2014), pp. 1–16Google Scholar
  8. 8.
    M. Bellare, A. Desai, E. Jokipii, P. Rogaway, A concrete security treatment of symmetric encryption, in FOCS, (IEEE Computer Society, 1997), pp. 394–403Google Scholar
  9. 9.
    C. Berbain, H. Gilbert, On the security of IV dependent stream ciphers, in FSE. LNCS, vol. 4593 (Springer, 2007), pp. 254–273Google Scholar
  10. 10.
    A. Biryukov, A. Shamir, Cryptanalytic time/memory/data tradeoffs for stream ciphers, in ASIACRYPT. LNCS, vol. 1976 (Springer, 2000), pp. 1–13Google Scholar
  11. 11.
    M. Bodrato, Towards optimal toom-cook multiplication for univariate and multivariate polynomials in characteristic 2 and 0, in WAIFI. LNCS, vol. 4547 (Springer, 2007), pp. 116–133Google Scholar
  12. 12.
    J. Borghoff, A. Canteaut, T. Güneysu, E.B. Kavun, M. Knezevic, L.R. Knudsen, G. Leander, V. Nikov, C. Paar, C. Rechberger, P. Rombouts, S.S. Thomsen, T. Yalçin, PRINCE—a low-latency block cipher for pervasive computing applications, in ASIACRYPT. LNCS, vol. 7658 (Springer, 2012), pp. 208–225Google Scholar
  13. 13.
    J.W. Bos, K.E. Lauter, J. Loftus, M. Naehrig, Improved security for a ring-based fully homomorphic encryption scheme, in IMACC. LNCS, vol. 8308 (Springer, 2013), pp. 45–64Google Scholar
  14. 14.
    Z. Brakerski, Fully homomorphic encryption without modulus switching from classical GapSVP, in CRYPTO. LNCS, vol. 7417 (Springer, 2012), pp. 868–886Google Scholar
  15. 15.
    Z. Brakerski, C. Gentry, V. Vaikuntanathan, (Leveled) fully homomorphic encryption without bootstrapping. TOCT 6(3),  13 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    C. Carlet, P. Méaux, Y. Rotella, Boolean functions with restricted input and their robustness; application to the FLIP cipher. IACR Trans. Symmetric Cryptol. 2017(3), 192–227 (2017)Google Scholar
  17. 17.
    S. Carpov, P. Dubrulle, R. Sirdey, Armadillo: a compilation chain for privacy preserving applications, in ACM CCSW (2015)Google Scholar
  18. 18.
    A. Chakraborti, A. Chattopadhyay, M. Hassan, M. Nandi, TriviA: a fast and secure authenticated encryption scheme, in CHES. LNCS, vol. 9293 (Springer, 2015), pp. 330–353Google Scholar
  19. 19.
    M. Chenal, Q. Tang, On key recovery attacks against existing somewhat homomorphic encryption schemes, in LATINCRYPT. LNCS, vol. 8895 (Springer, 2015), pp. 239–258Google Scholar
  20. 20.
    J.H. Cheon, J. Coron, J. Kim, M.S. Lee, T. Lepoint, M. Tibouchi, A. Yun, Batch fully homomorphic encryption over the integers, in EUROCRYPT. LNCS, vol. 7881 (Springer, 2013), pp. 315–335Google Scholar
  21. 21.
    I. Chillotti, N. Gama, M. Georgieva, M. Izabachène, Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds, in ASIACRYPT. LNCS, vol. 10031 (Springer, 2016), pp. 3–33Google Scholar
  22. 22.
    J. Coron, T. Lepoint, M. Tibouchi, Scale-invariant fully homomorphic encryption over the integers, in PKC. LNCS, vol. 8383 (Springer, 2014), pp. 311–328Google Scholar
  23. 23.
    N. Courtois, W. Meier, Algebraic attacks on stream ciphers with linear feedback, in EUROCRYPT. LNCS, vol. 2656 (Springer, 2003), pp. 345–359Google Scholar
  24. 24.
    R. Cramer, V. Shoup, Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    C. De Cannière, O. Dunkelman, M. Knezevic, KATAN and KTANTAN—a family of small and efficient hardware-oriented block ciphers, in CHES. LNCS, vol. 5747 (Springer, 2009), pp. 272–288Google Scholar
  26. 26.
    C. De Cannière, J. Lano, B. Preneel, Comments on the rediscovery of time memory data tradeoffs. Technical report, eSTREAM—ECRYPT Stream Cipher Project (2005). Accessed 21 Dec 2017
  27. 27.
    C. De Cannière, B. Preneel, Trivium, in New Stream Cipher Designs—The eSTREAM Finalists. LNCS, vol. 4986 (Springer, 2008), pp. 244–266Google Scholar
  28. 28.
    I. Dinur, Y. Liu, W. Meier, Q. Wang, Optimized Interpolation Attacks on LowMC. IACR Cryptol. ePrint Arch. 2015, 418 (2015)zbMATHGoogle Scholar
  29. 29.
    I. Dinur, A. Shamir, Cube attacks on tweakable black box polynomials, in EUROCRYPT. LNCS, vol. 5479 (Springer, 2009), pp. 278–299Google Scholar
  30. 30.
    Y. Doröz, Y. Hu, B. Sunar, Homomorphic AES evaluation using the modified LTV scheme. Des. Codes Cryptogr. 80(2), 333–358 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Y. Doröz, A. Shahverdi, T. Eisenbarth, B. Sunar, Toward practical homomorphic evaluation of block ciphers using Prince, in WAHC. LNCS, vol. 8438 (Springer, 2014), pp. 208–220Google Scholar
  32. 32.
    L. Ducas, D. Micciancio, FHEW: bootstrapping homomorphic encryption in less than a second, in EUROCRYPT. LNCS, vol. 9056 (Springer, 2015), pp. 617–640Google Scholar
  33. 33.
    S. Duval, V. Lallemand, Y. Rotella, Cryptanalysis of the FLIP family of stream ciphers, in CRYPTO. LNCS, vol. 9814 (Springer, 2016), pp. 457–475Google Scholar
  34. 34.
    ECRYPT—European network of excellence in cryptology: the eSTREAM stream cipher project (2005). Accessed 21 Dec 2017
  35. 35.
    J. Fan, F. Vercauteren, Somewhat practical fully homomorphic encryption. IACR Cryptol. ePrint Arch. 2012, 144 (2012)Google Scholar
  36. 36.
    S. Fau, R. Sirdey, C. Fontaine, C. Aguilar, G. Gogniat, Towards practical program execution over fully homomorphic encryption schemes, in IEEE International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, (2013), pp. 284–290Google Scholar
  37. 37.
    P. Fouque, T. Vannet, Improving key recovery to 784 and 799 rounds of Trivium using optimized cube attacks, in FSE. LNCS, vol. 8424 (Springer, 2013), pp. 502–517Google Scholar
  38. 38.
    T. Fuhr, B. Minaud, Match box meet-in-the-middle attack against KATAN, in FSE. LNCS, vol. 8540 (Springer, 2014), pp. 61–81Google Scholar
  39. 39.
    C. Gentry, Fully homomorphic encryption using ideal lattices, in STOC, (ACM, 2009), pp. 169–178Google Scholar
  40. 40.
    C. Gentry, S. Halevi, N.P. Smart, Homomorphic evaluation of the AES circuit, in CRYPTO. LNCS, vol. 7417 (Springer, 2012), pp. 850–867Google Scholar
  41. 41.
    C. Gentry, A. Sahai, B. Waters, Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based, in CRYPTO. LNCS, vol. 8042 (Springer, 2013), pp. 75–92Google Scholar
  42. 42.
    J.D. Golic, Cryptanalysis of alleged A5 stream cipher, in EUROCRYPT. LNCS, vol. 1233 (Springer, 1997), pp. 239–255Google Scholar
  43. 43.
    T. Graepel, K.E. Lauter, M. Naehrig, ML confidential: machine learning on encrypted data, in ICISC. LNCS, vol. 7839 (Springer, 2012), pp. 1–21Google Scholar
  44. 44.
    R. Granger, T. Kleinjung, J. Zumbrägel, Breaking ‘128-bit secure’ supersingular binary curves—(or how to solve discrete logarithms in \({\mathbb{F}_{2^{4 \cdot 1223}}}\) and \({\mathbb{F}_{2^{12 \cdot 367}}}\)), in CRYPTO, Part II. LNCS, vol. 8617 (Springer, 2014), pp. 126–145Google Scholar
  45. 45.
    S. Halevi, V. Shoup, Algorithms in HElib, in CRYPTO, Part I. LNCS, vol. 8616 (Springer, 2014), pp. 554–571Google Scholar
  46. 46.
    S. Halevi, V. Shoup, Bootstrapping for HElib, in EUROCRYPT. LNCS, vol. 9056 (Springer, 2015), pp. 641–670Google Scholar
  47. 47.
    J. Herranz, D. Hofheinz, E. Kiltz, Some (in)sufficient conditions for secure hybrid encryption. Inf. Comput. 208(11), 1243–1257 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  48. 48.
    J. Hong, P. Sarkar, New applications of time memory data tradeoffs, in ASIACRYPT. LNCS, vol. 3788 (Springer, 2005), pp. 353–372Google Scholar
  49. 49.
    T. Iwata, New block cipher modes of operation with beyond the birthday bound security, in FSE. LNCS, vol. 4047 (Springer, 2006), pp. 310–327Google Scholar
  50. 50.
    T. Jakobsen, L.R. Knudsen, The interpolation attack on block ciphers, in FSE. LNCS, vol. 1267 (Springer, 1997), pp. 28–40Google Scholar
  51. 51.
    A. Joux, C. Pierrot, Improving the polynomial time precomputation of Frobenius representation discrete logarithm algorithms—simplified setting for small characteristic finite fields, in ASIACRYPT, Part I. LNCS, vol. 8873 (Springer, 2014), pp. 378–397Google Scholar
  52. 52.
    J. Katz, Y. Lindell, Introduction to Modern Cryptography, 2nd edition. Chapman and Hall/CRC Press, Boca Raton (2014)zbMATHGoogle Scholar
  53. 53.
    A. Khedr, G. Gulak, V. Vaikuntanathan, SHIELD: scalable homomorphic implementation of encrypted data-classifiers. IEEE Trans. Comput. 65(9), 2848–2858 (2016)Google Scholar
  54. 54.
    S. Knellwolf, W. Meier, M. Naya-Plasencia, conditional differential cryptanalysis of NLFSR-based cryptosystems, in ASIACRYPT. LNCS, vol. 6477 (Springer, 2010), pp. 130–145Google Scholar
  55. 55.
    S. Knellwolf, W. Meier, M, Naya-Plasencia, Conditional differential cryptanalysis of Trivium and KATAN, in SAC. LNCS, vol. 7118 (Springer, 2011), pp. 200–212Google Scholar
  56. 56.
    K. Lauter, A. López-Alt, M. Naehrig, Private computation on encrypted genomic data, in LATINCRYPT. LNCS (2014)Google Scholar
  57. 57.
    T. Lepoint, M. Naehrig, A comparison of the homomorphic encryption schemes FV and YASHE, in AFRICACRYPT. LNCS, vol. 8469 (Springer, 2014), pp. 318–335Google Scholar
  58. 58.
    T. Lepoint, P. Paillier, On the minimal number of bootstrappings in homomorphic circuits, in WAHC. LNCS, vol. 7862 (Springer, 2013), pp. 189–200Google Scholar
  59. 59.
    M. Liu, Degree evaluation of NFSR-based cryptosystems, in CRYPTO. LNCS, vol. 10402 (Springer, 2017)Google Scholar
  60. 60.
    P. Méaux, A. Journault, F.X. Standaert, C. Carlet, Towards stream ciphers for efficient FHE with low-noise ciphertexts, in EUROCRYPT. LNCS, vol. 9665 (Springer, 2016), pp. 311–343Google Scholar
  61. 61.
    A. Maximov, A. Biryukov, Two trivial attacks on Trivium, in SAC, vol. 4876 (Springer, 2007), pp. 36–55Google Scholar
  62. 62.
    M. Naehrig, K.E. Lauter, V. Vaikuntanathan, Can homomorphic encryption be practical? in ACM CCSW, (ACM, 2011), pp. 113–124Google Scholar
  63. 63.
    National Institute of Standards and Technology, Recommendation for block cipher modes of operation. NIST Special Publication 800-38A (2001)Google Scholar
  64. 64.
    M. Paindavoine, B. Vialla, Minimizing the number of bootstrappings in fully homomorphic encryption, in SAC 2015. LNCS, vol. 9566 (Springer, 2016), pp. 25–43Google Scholar
  65. 65.
    A. Pincin, A new algorithm for multiplication in finite fields. IEEE Trans. Comput. 38(7), 1045–1049 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  66. 66.
    C. Rechberger, The FHEMPCZK-cipher zoo. Presented at the FSE 2016 rump session (2016). Accessed 21 Dec 2017
  67. 67.
    P. Rogaway, Evaluation of some block cipher modes of operation. Cryptrec (2011). Accessed 21 Dec 2017
  68. 68.
    N.P. Smart, F. Vercauteren, Fully homomorphic SIMD operations. Des. Codes Cryptogr. 71(1), 57–81 (2014)CrossRefzbMATHGoogle Scholar
  69. 69.
    Y. Todo, T. Isobe, Y. Hao, W. Meier, Cube attacks on non-blackbox polynomials based on division property, in CRYPTO. LNCS, vol. 10402 (Springer, 2017)Google Scholar
  70. 70.
    K. Yasuda, A new variant of PMAC: beyond the birthday bound, in CRYPTO. LNCS, vol. 6841 (Springer, 2011), pp. 596–609Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Anne Canteaut
    • 1
  • Sergiu Carpov
    • 2
  • Caroline Fontaine
    • 3
    • 4
  • Tancrède Lepoint
    • 5
  • María Naya-Plasencia
    • 1
  • Pascal Paillier
    • 6
  • Renaud Sirdey
    • 2
  1. 1.InriaParisFrance
  2. 2.CEA LISTSaclayFrance
  3. 3.Lab-STICC, CNRSBrestFrance
  4. 4.IMT AtlantiqueBrestFrance
  5. 5.SRI InternationalNew YorkUSA
  6. 6.CryptoExpertsParisFrance

Personalised recommendations