1 Introduction

Cloud computing is a modern technology that has matured over the recent years. Hence, more and more companies are expected to migrate to the cloud due to several advantages provided by the concerned solution [1]. Some major advantages of such solution are the virtualization, the scalability, the disaster recovery, the high computation and storing capabilities, etc. Despite all of these advantages, some security issues remain a key barrier to organizations shifting to the cloud. So far, data encryption appears to be a reasonable answer to this issue. However, at some point, encrypted data becomes worthless unless it is decrypted. In other words, if the client needs to apply operations on its encrypted data stored at the cloud side, he must reveal his secret parameters to the cloud for making the latter able to convert the data back into plain-text before performing computations on it. Then, the result is converted back into cipher-text. Hence, the latter operation leaves classified data exposed to non trusted parties. For this reason, companies demand an encryption type that provides scalable, secure, and practical computation services that can be employed in order to save and operate securely on the data at the same time. In this scenario, the encryption type needed is the HE scheme [2], since it is a technique that allows applying mathematical operations on encrypted data without disclosing the initial data contents or the decryption key, as illustrate in Fig. 1.

Fig. 1
figure 1

A general framework for HE schemes

Full size image

There are four types of HE schemes [3] that are presented as follows: Partially Homomorphic Encryption (PHE), Somewhat Homomorphic Encryption (SWHE), Fully Homomorphic Encryption (FHE) and Switchable Homomorphic Encryption (SHE). PHE is the type that permits computation of an unlimited number of additions or multiplications on encrypted data, but not both of them at the same time [4]. SWHE allows a limited number of additions and multiplications to be done simultaneously on the encrypted data, beyond which the result of the calculation returns an erroneous answer [2]. FHE permits an arbitrary number of additions and multiplications to be made on the encrypted data [4]. Existing FHE crypto-systems, on the other hand, have numerous issues, such as prohibitive performance and storage costs for the bulk of practical applications. Lastly, SHE, which debuted in 2014, allows users to profit from the efficiency of PHE schemes by combining them and obtaining the same property as an FHE scheme but with greater performance [5]. This paper is concerned with analyzing PHE schemes, with a focus on designing a new secure and efficient multiplicative HE scheme, competitor to ElGamal crypto-system [6], to be used in cases where multiplication operations are required. As we mentioned previously, in our prior work we designed an additive HE scheme that we named SAVHO [7]. Security and Performance analyses of the SAVHO scheme have shown its high level of security and its efficiency in implementation, which make him a good competitor for the well known additive Paillier crypto-system [8]. Thus, our long term goal from designing both the SAVHO scheme (summarized in Table 12 in Appendix) and the LORMHE crypto-system (detailed in this paper) is to combine them together to form a SHE similar to the work done in [5]. Hence, the resultant scheme should allow to perform all types of operations over encrypted data while maintaining simultaneously the security and the efficiency in implementations.

The remainder of this paper is structured as follows:

  • Section 2: a brief overview of previous work is presented.

  • Section 3: an introduction to the HE and the ElGamal scheme is given.

  • Section 4: a new scheme called LORMHE (Logarithm Operation for Randomization and Multiplicative Homomorphic Encryption scheme) is introduced.

  • Section 5: the resistance of the LORMHE against various types of attacks is presented by applying different security tests and establishing a theoretical crypt-analysis.

  • Section 6: the performance study of LORMHE is completed by establishing a comparison between LORMHE and ElGamal schemes in terms of encryption, decryption and homomorphic behavior execution time and storage overhead.

  • Section 7: conclusion and future work are given.

2 Related work

Since the creation of the HE concept, researchers in academia as well as in industry have been attempting to improve in this sector by creating secure and efficient schemes practical for real-world uses.

Ron Rivest, Adi Shamir, and Leonard Adleman proposed the first HE scheme in the cryptography world in 1978 [9]. The RSA scheme was, in particular, a PHE scheme that can handle an unlimited number of multiplications over the cipher-texts. Then, in 1982, Shafi Goldwasser and Silvio Micali introduced an additive HE scheme that reached a surprising level of security [10]. The latter’s shortcoming is that it can only encrypt a single bit. As a correction, Pascal Paillier devised a successful secure encryption scheme that was also additive HE [11]. Taher ElGamal developed and published a new multiplicative HE scheme a few years later, in 1985, which is still utilized in many applications today [6]. Until 2009, when Craig Gentry invented the first FHE [2], all of the schemes that were created could only handle one of two types of operations: addition or multiplication. Craig Gentry’s method was built on lattices, which made it complicated and unsuitable for real-world use. Following Gentry’s work, in 2010, the DGHV scheme was introduced by Dijk et al. [12]. This scheme is based on integers. It is constructed based on two steps: SWHE and bootastrapping. Its SWHE can return an erroneous result in the case of applying a huge number of additions and multiplications due to noise increase after each homomorphic operation. Bootstrapping is a refresh mechanism introduced to make it FHE by reducing the level of non wanted noise after each homomorphic operation while keeping the primitive plain-text unchanged. Although DGHV permits the application of additive and multiplicative HE operations simultaneously, it suffers from high computational complexity and storage overhead. Following DGHV, several crypto-systems were developed, each with its own set of issues. Therefore, until now, existing FHE schemes are unpractical for real world implementations. Instead of utilizing such FHE techniques, one can apply the well-known Switchable Homomorphic Encryption approach (SHE), which was developed in 2014 [5]. The latter is a hybrid of two partially HE crypto-systems. An additive HE crypto-system may be preferred if additive operations are required; Otherwise, a multiplicative HE scheme may be better. The SHE method can be utilized if both of these are necessary. Paillier and ElGamal were the only two PHE schemes combined by the SHE technique, as indicated in [5]. Implementation has shown that these two partially HE schemes combined together performed better than the existing FHE schemes while giving the requisite amount of security.

HE schemes, in all their forms, are increasingly being employed in numerous sectors. Especially those seeking security while operating on outsourced data.

Paillier’s additive HE crypto-system, for example, was recently employed in e-voting in 2020, as reported in [13] by Miaomiao Zhang and Steven Romero. ElGamal multiplicative HE scheme was used as well in achieving privacy-preserving Iris identification as indicated in [14] in 2019. Furthermore, in 2021, a paper titled “Location Based Recommendation Services Using Switchable Homomorphic Encryption” discussed the importance of using SHE [15].

3 Homomorphic encryption

The term “homomorphism” is derived from the Greek language. \(o\mu oc\)-homos means the same and \(\mu o\rho \phi \eta \)-morphe meaning is structure [16]. As shown in [17], if \((E, \star )\) and \((F, \bullet )\) are two magmas , then a map f from E to F is a homomorphism from \((E, \star )\) to \((F, \bullet )\) if and only if:

\(\forall (a,b)\in E\times E: f(a\star b)=f(a)\bullet f(b)\)

The definition of a homomorphism has lately been transferred to the world of cryptography. In particular, in a HE scheme, the encryption function is the homomorphism. The spaces of plain-texts \({\mathcal {P}}\) and cipher-texts \({\mathcal {C}}\), provided with specific internal composition law, represent the two magmas being mapped from and to. This paper concentrates on using the multiplicative HE crypto-system type which is a HE scheme that can only handle multiplicative operations. In other words, it must mathematically validate the following property: for n plain-texts \((m_1,\ldots ,m_n)\in {\mathcal {P}}\times \cdots \times {\mathcal {P}}\):

$$\begin{aligned} g(Enc_{K}(m_i))=Enc_{K}\left( \prod _{i=1}^{n}m_i\right) \end{aligned}$$
(1)

where Enc() denotes the encryption function, K the secret key and \(g\in \{ \prod _{i=1}^{n},\sum _{i=1}^{n}\}\) [11].

The fundamental advantage of this homomorphic property is that any third party (trusted or not), may compute an encryption of \(\prod _{i=1}^{n}m_i\) from encrypted messages without knowing the secret key or the content of the plain-texts messages \(m_i\).

3.1 ElGamal crypto-system

A condensed description of the ElGamal scheme construction is given in Table 1 as listed in [6].

Table 1 ElGamal scheme
Full size table

4 LORMHE scheme

Motivated by the importance of the ElGamal scheme, a new multiplicative HE scheme (LORMHE) is devised that is competent to ELGamal in terms of implementation efficiency and reduced storage overhead.

The construction steps of LORMHE scheme are presented in details in Sect. 4.1, while the homomorphic behavior of it will be proven in Sect. 4.3.

4.1 Scheme construction

Three basic functions are used in any HE scheme construction: key generation, encryption and decryption processes. Hence, the basic functions of the LORMHE scheme are listed below:

4.1.1 Key generation

The secret key is made up of a pair of random integers denoted by (ag) such that the size of a is 45 bits and the g’s one is greater or equal to 3000 bits. As will be discussed in the security analysis given in Sect. 5, these constraints are imposed in order to achieve the required level of security.

4.1.2 Encryption process

The cipher-text c related to a message \(m \in \mathbb {N}^{*}\) is given by the following equation:

$$\begin{aligned} c=Enc_{(a,g)} (m)= g ^ {log_a (\frac{m}{l})} \times r \end{aligned}$$
(2)

where l and r are picked randomly in \(\mathbb {N}^{*}\) such that they are formed of 40 bits.

4.1.3 Decryption process

Theorem 1

Having the secret key parameters (ag) and the random parameters l and r, retrieving the plain-text m could be done by applying the following decryption function:

$$\begin{aligned} Dec_{(a,g)} (c)=e^{(ln(c)-ln(r))\times \frac{ln (a)}{ln (g)}+ln(l)} \end{aligned}$$
(3)

Lemma 1

The natural logarithmic function ln(x) has the following properties:

\(ln(a\times b)=ln(a)+ ln(b)\), for \(a, b>0\),

\(ln(a^b)=b\times ln(a)\), for \(a>0\),

\(ln(\frac{a}{b})=ln(a)-ln(b)\), for \(a, b>0\).

Lemma 2

The function \(e^x\) has the following property:

\(e^{ln(a)}=a\), for \(a>0\).

Proof of theorem 1

$$\begin{aligned}&Dec_{(a,g)} (c)=e^{(ln(c)-ln(r))\times \frac{ln (a)}{ln (g)}+ln(l)}\\&\quad =e^{(ln(g^{log_a(\frac{m}{l})}\times r)-ln(r))\times \frac{ln (a)}{ln (g)}+ln(l)}\\&\quad =e^{(ln(g^{log_a(\frac{m}{l})})+ln(r)-ln(r))\times \frac{ln (a)}{ln (g)}+ln(l)}\\&\quad =e^{ln(g^{log_a(\frac{m}{l})})\times \frac{ln (a)}{ln (g)}+ln(l)}\\&\quad =e^{{log_a(\frac{m}{l})}ln(g)\times \frac{ln (a)}{ln (g)}+ln(l)}\\&\quad =e^{\frac{ln(\frac{m}{l})}{ln (a)}\times ln (a)+ln(l)}\\&\quad =e^{ln(m)-ln(l)+ln(l)}\\&\quad =e^{ln(m)}\\&\quad =m \end{aligned}$$

4.1.4 Random parameters (l and r) dynamic generation

As given in both Eqs. 2 and 3, the two random parameters (lr) that are generated for the encryption procedure, should be re-used for the decryption procedure. Thus, the latter mechanism will add additional burden in terms of storing, managing and sharing the random parametes (lr) between the communicating entities especially when dealing with large number of plain-texts. To overcome the concerned challenges, a dynamic approach is designed in order to manage and facilitate the random generation and the sharing of both l and r. Hence, starting from a plain-text vector \(X=[x_1, x_2, x_3,\ldots x_N]\) of size N, the dynamic mechanism is given by the algorithm below:

figure f

An illustration of the dynamic generation of both l and r is presented Fig. 2.

Fig. 2
figure 2

L and R dynamic generation

Full size image

After using the dynamic generation algorithm given above in Algorithm 1, there is no need to store the different values of l and r. In this case, the two communicating parties (one performs the encryption and the other performs the decryption) need to store for each encryption session only the specified triple (gak). Thus, using (gak) it is possible to generate the same vectors \(R_{\pi }\) and \(L_{\pi }\) and perform the different cryptographic operations when needed.

4.2 Symmetric or asymmetric HE scheme?

Symmetric encryption techniques are crypto-systems that use the same key for both encryption and decryption. While the asymmetric encryption system, commonly known as public key encryption, employs mathematically linked public and private keys pairs to encrypt and decrypt [18].

Table 2 summarizes the key differences between these two types of encryption schemes.

Table 2 Symmetric vs asymmetric encryption schemes [19, 20]
Full size table

Our crypto-system is classified as symmetric encryption scheme since the same pair of keys (ag) is used to encrypt and decrypt a given message. These systems can be utilized in a variety of real-world applications, including:

  • Payment applications, such as card transactions, where personally identifiable information (PII) must be safeguarded to avoid identity theft or fraudulent charges

  • Validations to confirm that the sender of a message is who he claims to be

  • Random number generation or hashing [21]

However, our primary goal of creating the symmetric crypto-system LORMHE is to merge it with SAVHO [7] via SHE technique [5]. SHE is reliant on two separate clouds. The user is required to divide and then transfer his private keys to the two clouds in order to do a partial decryption while operating on cipher-texts. In other words, whether the system is symmetric or asymmetric is irrelevant. As a result, we opt to profit from the symmetric schemes features while creating our scheme LORMHE.

4.3 Homomorphic behavior

Theorem 2

To be considered as a multiplicative HE scheme, LORMHE crypto-system must verify Eq. 1.

Remark 1

To facilitate the calculation in the proof of theorem 2, the computation of Eq. 1 has been done on two cipher-texts, namely by checking that

\(Dec_{(a,g)}(c_1.c_2)\) equals \(m_1m_2\).

Proof of theorem 2

Let \(c_1=Enc_{(a,g)} (m_1)= g ^ {log_a (\frac{m_1}{l_1})} \times r_1\) and \(c_2 =Enc_{(a,g)} (m_2) = g ^ {log_a (\frac{m_2}{l_2})} \times r_2 \) be two different cipher-texts obtained from applying LORMHE encryption function respectively on two plain-texts \(m_1\) and \(m_2\). Therefore,

$$\begin{aligned}&c_1.c_2 =g^{log_a(\frac{m_1}{l_1})}\times r_1\times g^{log_a(\frac{m_2}{l_2})}\times r_2 \\&\quad =g^{log_a(\frac{m_1}{l_1})+log_a(\frac{m_2}{l_2})}\times r_1 \times r_2 \\&\quad =g^{log_a(\frac{m_1m_2}{l_1l_2})}\times r_1 \times r_2 \end{aligned}$$

Decrypting this result yields the following:

$$\begin{aligned}&Dec_{(a,g)}(c_1.c_2)\\&\quad =e^{[(ln(c_1.c_2)-ln(r_1)-ln(r_2)) \frac{ln(a)}{ln(g)}+ln(l_1)+ln(l_2)]}\\&\quad =e^{[(ln(g^{log_a(\frac{m_1m_2}{l_1l_2})}\times r_1\times r_2)-ln(r_1)-ln(r_2)) \frac{ln (a)}{ln (g)}+ln(l_1)+ln(l_2)]} \\&\quad =e^{[(ln(g^{log_a(\frac{m_1m_2}{l_1l_2})})+ln(r_1)+ln(r_2)-ln(r_1)-ln(r_2)) \frac{ln (a)}{ln (g)}+ ln(l_1)+ln(l_2)]}\\&\quad =e^{[log_a(\frac{m_1m_2}{l_1l_2})ln(g)\frac{ln (a)}{ln (g)}+ln(l_1)+ln(l_2)]}\\&\quad =e^{[log_a(\frac{m_1m_2}{l_1l_2})ln (a)+ln(l_1)+ln(l_2)]} \\&\quad =e^{[\frac{ln(\frac{m_1m_2}{l_1l_2})}{ln(a)}\times ln(a)+ln(l_1)+ln(l_2)]}\\&\quad =e^{[ln(m_1m_2)-ln(l_1l_2)+ln(l_1)+ln(l_2)]}\\&\quad \quad ++ =e^{[ln(m_1m_2)-ln(l_1)-ln(l_2)+ln(l_1)+ln(l_2)]}\\&\quad =e^{[ln(m_1m_2)]}\\&\quad =m_1m_2 \end{aligned}$$

Applying the same steps to a tuple of cipher-texts leads to verifying Eq. 1. Hence, This result ensures that the LORMHE scheme fulfills the multiplicative HE feature for a tuple of cipher-texts.

5 LORMHE security analysis

This section investigates the robustness of the LORMHE scheme against various types of attacks. Such investigations are carried out in two ways:

  1. 1.

    Theoretically: a deep mathematical analysis of its algebraic structure is performed that studies its resistance to known plain-text/cipher-text attacks.

  2. 2.

    Practically: specific security tests are applied over the new scheme as listed [23] that highlight its robustness in defending the statistical and the related key attacks and its verification to some mandatory properties.

5.1 Theoretical crypt-analysis: resistance to known plain-text/cipher-text attacks

As mentioned in [7], a scheme’s resistance to known plain-text/cipher-text assaults is investigated by assuming the presence of an attacker with a tuple pairs of known plain-texts and their associated cipher-texts. This attacker is attempting to disclose the secret key of the scheme in question.

We recall that LORMHE’s secret key is given by (ag) and its encryption function is given by \( c=Enc_{(a,g)} (m)= g ^ {log_a (\frac{m}{l})} \times r\). Hence, a attack model can be presented as given in the upcoming section

5.1.1 Oracle model

Starting with an attacker that has a t tuple pairs of cipher-texts/plain-texts denoted by \((m_1,c_1),\) \(\ldots ,\) \((m_t,c_t)\), in order to reveal the secret key and parameters of the scheme, he can do the following steps:

  1. 1.

    Building a System Using the Known Pairs of Plain-text/Cipher-text \((m_i,c_i)_{(1 \le i \le t)}\): the attacker is able to construct the following system

    $$\begin{aligned} \begin{array}{ll} c_1=g ^ {log_a (\frac{m_1}{l_1})} \times r_1 \\ c_2=g ^ {log_a (\frac{m_2}{l_2})} \times r_2\\ \vdots \\ c_t=g ^ {log_a (\frac{m_t}{l_t})} \times r_t \end{array} \end{aligned}$$
    (4)
  2. 2.

    Linearizing the Obtained System: the attacker can linearize the system given Eq. in 4 by applying the natural logarithm function to each cipher-text as follows: \(\forall i\in [1,t],\) \(ln(c_i)=ln(g)log_a (\frac{m_i}{l_i})+ln(r_i)=ln(g) \frac{ln(m_i)-ln(l_i)}{ln(a)}+ln(r_i)\). In order to make the prior system’s writing easier, the attacker can assume that \(\forall i \in [1,t]\), \(A_i=ln(c_i)\), \(B_i=ln(m_i)\), \(X=ln(g)\), \(Y=\frac{1}{ln(a)}\), \(Z_i=ln(l_i)\) and \(T_i=ln(r_i)\). Therefore, the new linear version of the system is given as follows:

    $$\begin{aligned} \left\{ \begin{array}{ll} A_1=XY(B_1-Z_1)+T_1 \\ A_2=XY(B_2-Z_2)+T_2\\ \vdots \\ A_t=XY(B_t-Z_t)+T_t \end{array} \right. \end{aligned}$$
    (5)

    where, \(\forall i\in [1,t]\), X, Y, \(Z_i\) and \(T_i\) are the unknown values while \(A_i\) and \(B_i\) are the known ones. As a result, the attacker is confronted with a system that has t equations and \(2t+2\) unknowns.

  3. 3.

    Mathematical Problem Formulation: the attacker is working with a system with infinite solutions, and disclosing the secret key is not feasible. As a conclusion, the security of the concerned scheme is based on the mathematical hardness of solving an indeterminate linear system [22].

5.2 Security tests

In this section, the immunity of the LORMHE scheme against attacks is investigated by implementation. Different security tests are implemented as given in [23] in order to determine the required level of the security parameters sizes for achieving a secure implementation that can resist against related key attacks and statistical attacks and assures the presence of avalanche effect. Security tests were implemented under Mathematica on a machine having the following technical specifications (Table 3):

Table 3 Machine specification
Full size table

A dynamic Graphical User Interface (GUI) was developed on Mathematica. This GUI allows the user to change the different security parameters sizes and to instantly evaluate their effects on the tests values. These values were found to be most optimal around a fixed value of the size of a, l and r, and getting closer to their ideal values for an increasing size of g (we recall that g is a part of the secret key and used during the encryption procedure given in Eq. 2). As result, the a, l and r values were easily identified and set, as illustrated in Table 4. Then, the main purpose of the following security tests is to determine the required size of the parameter g in order to achieve a secure implementation for the LORMHE scheme.

Table 4 Security parameters size in bits
Full size table

5.2.1 Resistance against related key attacks

The Key Sensitivity (KS) test is used to evaluate the resilience of a given scheme against related key attacks. This test permits to measure the percentage of change at the bit level that may be made on a cipher-text owing to a slight change in the secret key while retaining the same plain-text. The following formula is used to calculate the KS test :

$$\begin{aligned} KS_m = \dfrac{1}{T}\sum _{i=1}^{T} E_K(m)_i \oplus E_{K'}(m)_i \end{aligned}$$
(6)

Where K represents the original key parameter and \(K'\) the new one obtained by flipping the least significant bit (LSB) of one random byte of the original key. The KS test ideal value is 50%, indicating an important change as a reaction to the slight perturbation. In Table 5, the mean KS values for the LORMHE scheme are calculated through Eq. 6, for 10,000 iterations by varying the size of the security parameter g from 100 to 4000 bits. According to Table 5, the KS value has gotten close to the ideal one and more stable starting size of \(g =\) 3000 bits, with a mean value of 48.1898%. Consequently, the KS test demonstrates that the LORMHE scheme is resistant against related key attacks at g size \(\ge \) 3000 bits.

Table 5 KS mean values variation according to g size in bits
Full size table

5.2.2 Presence of avalanche effect

The avalanche effect is an advantageous characteristic for any encryption scheme. It describes a significant change in a system’s output when only a slight modification in the input is made. A way to evaluate the avalanche effect in an encryption scheme is the Plain-text Sensitivity (PS) test. The formula used in such types of tests is given as follows :

$$\begin{aligned} PS_m = \dfrac{1}{T}\sum _{i=1}^{T} E_K(m)_i \oplus E_{K}(m')_i \end{aligned}$$
(7)

Where K is the key parameter, m is the original plain-text message and \(m'\) the new plain-text message, obtained by flipping one random bit of m. The PS is the bit-wise difference of the two differently obtained cipher-texts. To reach a high level of security, a scheme must have around 50% as PS value. The result of applying the PS test, through Eq. 7, for 10,000 iterations on the LORMHE scheme according to the variation of the g size from 100 to 4000 bits is shown in Table 6. An analysis of the presented table shows that starting at g size equal to 3000 bits, the PS value approaches 50%, with a mean value of 48.7488%. Consequently, the PS test ensures that the LORMHE scheme presents the avalanche effect for size of g \(\ge \) 3000 bits.

Table 6 PS mean values variation according to g size in bits
Full size table

5.2.3 Resistance against statistical attacks

In order to ensure a high level of resistance against statistical attacks, a scheme must satisfy the two following properties given below:

  1. 1.

    Uniformity: tested by the entropy and the distribution tests.

  2. 2.

    Independence: tested by the correlation and the difference tests.

Hence, in order to validate the two properties highlighted above, different security tests are implemented as follows:

  1. 1.

    Entropy test: the entropy value quantifies the level of uncertainty in a random variable. The entropy of a given message m is defined by the following formula :

    $$\begin{aligned} H(m) = - \sum _{\begin{array}{c} i=0\\ P(x_i)\ne 0 \end{array}}^{2^M - 1} P(x_i)log_2(P(x_i)) \end{aligned}$$
    (8)

    where \(p(x_i)\) is the probability of occurrence of symbol \(x_i\), and \(2^M\) the total number of states of information. The ideal value of entropy, equal to M, is encountered when the random variable satisfies the uniformity property. In this case, the ideal value that should be encountered is 8 (\(2^8=256\)). In Table 7, the mean entropy values for the LORMHE scheme are calculated through Eq. 8, for 10,000 iterations by varying the size of the security parameter g from 100 to 4000 bits. By examining Table 7, it is obvious that the mean entropy value approaches the ideal value 8 starting from g size equals to 3000 bits with a mean value of 7.86275 and continues to grow reaching a maximal value of 7.89824. As a result, the entropy test shows that the LORMHE scheme verifies the uniformity property for size of g \(\ge \) 3000 bits.

  2. 2.

    Difference test: the difference test quantifies the bit-level percentage difference between the plain-texts and their corresponding cipher-texts. The difference test values are obtained using the following formula:

    $$\begin{aligned} D(m, c) = \dfrac{1}{T} \sum _{i=1}^{T} m_i \oplus c_i \end{aligned}$$
    (9)

    where (mc) denotes a plain-text message and its matching cipher-text c, and T is their bit length. To be considered secure, a scheme must get around 50% as result in this type of test. Such result indicates that there is no clear relationship at the bit level between cipher-texts and plain-texts. In Table 8, the mean difference values for the LORMHE scheme are calculated through Eq. 9, for 10,000 iterations by varying the g size as done in the previous tests. Table 8 shows that for g size equal to or greater than 3000 bits, the difference value approaches the ideal one, with a mean value of 49.365%. Thus, the difference test demonstrates that the LORMHE scheme verifies the independence property for size of g \(\ge \) 3000 bits.

  3. 3.

    Correlation test : in order to be secure, an encryption scheme must present a low correlation between the plain-texts and their matching cipher-texts as there should be no clear relation that can be used to deduce one from the other. The correlation value is obtained using the following equation :

    $$\begin{aligned} \rho _{X, Y} = \dfrac{cov(X, Y)}{\sqrt{D(X) \times D(Y)}} \end{aligned}$$
    (10)

    where \(cov(X, Y) = E[(X - E(X))(Y - E(Y))]\), \(E(X) = \dfrac{1}{n}\sum _{k=0}^{n}x_k\) and \(D(X) = \dfrac{1}{n} \sum _{k=0}^{n}[x_k - E(X)]^2\). The ideal value of correlation is 0 and it is encountered when there’s no linear relationship between the two variables X and Y, namely the plain-texts and their corresponding cipher-texts. In Table 9, the mean correlation values for the LORMHE scheme are calculated through Eq. 10, for 10,000 iterations by varying the size of the security parameter g from 100 to 4000 bits. By analyzing Table 9, it is clear that all the correlation values are near to zero, regardless of g size. Therefore, the LORMHE scheme ensures low correlation between its plain-texts and cipher-texts.

As conclusion, the LORMHE scheme provides resistance to statistical attacks as long as the g size is equal or greater than 3000 bits. To validate the LORMHE scheme’s resilience to statistical attacks for g size \(\ge 3000\), distribution test is implemented while taking g size equal to 3000 as follows:

Table 7 Entropy mean values variation according to g size in bits
Full size table
Table 8 Difference mean values variation according to g size in bits
Full size table
Table 9 Correlation test mean values according to g size in bits
Full size table

Distribution test: the distribution test is based on examining the distribution of cipher-text byte values frequency counts. Such distribution should be uniform to guarantee that the cipher-texts will never leak information on the plain-texts distribution and therefore deduce that the scheme in question is secure. Figure 3 depicts the frequency counts form of a message before and after the LORMHE method is applied to it. As a result, for a 10,000 Bytes plain-texts message length generated using a Gaussian distribution (mean: = 128, standard deviation: = 32), one can see that the frequency counts distribution of the corresponding cipher-texts (after taking the security parameter \(g= 3000\) as required for achieving a secure level of security) has a peak at a byte value of around 65. Further investigations and calculations revealed that this was caused by the double precision representation on 64 bits of the cipher-texts using the IEEE 754 standard. Effectively, as all cipher-text were in more or less the same range, resulting in a more or less constant exponent value. This exponent being coded on 11 bits will result in one or two bytes in the cipher-text having a low variance, hence, a peak in that distribution. This is not a security problem as it reveals no specific information about the plain-texts, only the exponent of the cipher-texts which does not limit the search space enough to be exploited in case of possible attack. Disregarding that peak, the distribution of byte-values frequency is close to a uniform distribution. Therefore, the scheme can be seen satisfying the uniformity property.

Fig. 3
figure 3

Distribution test: a Plain-texts, b LORMHE cipher-texts

Full size image

5.3 Analysis and conclusion

To summarize, all of the security tests driven in the previous sections ensure that the newly created HE scheme LORMHE is highly secure for particular sizes of the security parameters a, g, l, and r shown in the Table 10.

Table 10 Security parameters size in bits
Full size table

6 Performance analysis

The performance analysis of the LORMHE crypto-system is presented and explained in this section. It is accomplished by comparing the execution timings of its various functions and storage overhead to those of the ElGamal scheme. The two schemes are securely implemented in the latter part as follows:

  • LORMHE scheme : as discussed in Sect. 5, a secure implementation of the LORMHE crypto-system is obtained when the secret key parameter size of g is equal to or greater than 3000 bits, the a size is 45 bits and the l and r sizes are 40 bits.

  • ElGamal scheme : as mentioned in Sect. 3.1, a secure implementation for this scheme requires minimum 3072 bits for the key size q.

6.1 Implementation performance study and comparison

Different implementations are done using the same working environment described in Sect. 5.2 (Table 3). Various comparisons and analyses are carried out by changing the plain-text message size from 10 bytes to 100 bytes in steps of 10, and determining the mean metric of each implementation for 50 iterations as follows:

6.1.1 Cryptography functions

The encryption and decryption procedures are the two major cryptography functions for both the LORMHE and ELGamal schemes.

Fig. 4
figure 4

Comparison of mean encryption execution time between LORMHE and ElGamal schemes

Full size image
Fig. 5
figure 5

Comparison of mean decryption execution time between LORMHE and ElGamal schemes

Full size image

Figures 4 and 5 provide a comparison of the mean execution times for the encryption and decryption functions for both the LORMHE and ElGamal schemes using logarithmic scales. After examining the two figures, it is apparent that the LORMHE crypto-system is quicker than the ElGamal scheme. As a result, our new multiplicative HE scheme outperforms the ElGamal crypto-system.

6.1.2 Multiplication on encrypted data

Fig. 6
figure 6

Comparison of mean homomorphic multiplication execution time between LORMHE and ElGamal schemes

Full size image

Figure 6 represents the mean execution time for the homomorphic multiplication property applied to both schemes using logarithmic scale. It is clear that the LORMHE scheme is also, in this case, faster than the ELGamal crypto-system.

6.1.3 Storage overhead

The evolution of storage overhead for both encryption schemes in terms of the length of the plain-text messages is shown in the logarithmic scale in Fig. 7 below. After a deep examination of this graph, it is clear that the LORMHE scheme’s storage overhead outperforms the ELGamal scheme’s.

Fig. 7
figure 7

Comparison of storage overhead between LORMHE and ELGamal schemes

Full size image

6.2 Results analysis

In this section, the LORMHE and ElGamal schemes were implemented and represented in their secure condition ((garl) sizes equal respectively to (3072,45,

40,40) bits for LORMHE and q size equals to 3072 bits for ElGamal). Analyzing the results shows that the LORMHE scheme performing is better than the ElGamal scheme in terms of execution time for encryption, decryption and homomorphic multiplication property. Furthermore, the LORMHE was proven to be more storage efficient as it presented a lower storage overhead compared to ElGamal. In conclusion, the LORMHE scheme is a strong rival to the well-known HE ElGamal scheme. In Table 11 listed below, the minimum (for \(Mess\_Leng=10\) Bytes) and maximum (for \(Mess\_Leng=100\) Bytes) values of each implementation’s mean metric are listed. \(\displaystyle {\epsilon =\frac{highest\_value}{lowest\_value}}\) values are also supplied to show numerically the efficacy of the LORMHE scheme in comparison to ELGamal’s cryptosystem.

Table 11 Implementations minimum and maximum mean metrics in linear scale
Full size table

7 Conclusion and future work

The interest for HE is at the moment at its peak. It enables data analysis while keeping its content securely encrypted. One of the biggest challenge in this sector is the design of a scheme that will be at the perfect intersection of security and efficiency. In this paper, a new multiplicative HE scheme, called LORMHE, has been designed. A crypt-analysis study of the latter proved that it is secure and resistant against several types of attacks. Furthermore, performance study has revealed that the new scheme is a good substitute for the well-known ELGamal crypto-system.

Future work resides in exploiting the SAVHO and the LORMHE scheme homomorphic properties in order to design a new secure and efficient SHE scheme competent to the Paillier/ElGamal ones as well to existing and well known FHE crypto-systems like the BGV scheme [24].