Design and implementation of low-depth pairing-based homomorphic encryption scheme

  • Vincent Herbert
  • Bhaskar Biswas
  • Caroline Fontaine
Regular Paper


Homomorphic encryption allows to carry out operations on encrypted data. In this paper, we focus on the design of a scheme based on pairings and elliptic curves, that is able to handle applications where the number of multiplication is not too high, with interesting practical efficiency when compared to lattice-based solutions. The starting point is the Boneh–Goh–Nissim (BGN for short) encryption scheme (Boneh et al. in Kilian J (ed) Theory of cryptography, second theory of cryptography conference, TCC 2005, Cambridge, MA, USA, February 10–12, 2005), which enables the homomorphic evaluation of polynomials of degree at most 2 on ciphertexts. In our scheme, we use constructions coming from Freeman (Gilbert H (ed) Advances in cryptology—EUROCRYPT 2010, 29th annual international conference on the theory and applications of cryptographic techniques, French Riviera, May 30–June 3, 2010) and Catalano and Fiore (Ray I, Li N, Kruegel C (eds) Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, Denver, CO, USA, October 12–16, 2015), to propose a variant of the \({\text {BGN}}\) scheme that can handle the homomorphic evaluation of polynomials of degree at most 4. We discuss both the mathematical structure of the scheme and its implementation. We provide simulation results, showing the relevance of this solution for applications requiring a low multiplicative depth, and give relative comparison with respect to lattice-based homomorphic encryption schemes.


Homomorphic encryption Pairing-based cryptography Elliptic curves Low-depth circuits 



We sincerely thank Aurore Guillevic for our discussions concerning the security estimation of our scheme according to the last attacks published. This work has been funded by Region Bretagne under grant AAP PME 2014, 14006192.


  1. 1.
    Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian, J. (ed.) Theory of Cryptography, Second Theory of Cryptography Conference, TCC 2005, Cambridge, MA, USA, February 10–12, 2005, Proceedings, Volume 3378 of Lecture Notes in Computer Science, pp. 325–341. Springer (2005)Google Scholar
  2. 2.
    Freeman, D.M.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: Gilbert, H. (ed.) Advances in Cryptology—EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Proceedings, Volume 6110 of Lecture Notes in Computer Science, pp. 44–61. Springer (2010)Google Scholar
  3. 3.
    Catalano, D., Fiore, D.: Using linearly-homomorphic encryption to evaluate degree-2 functions on encrypted data. In: Ray, I., Li, N., Kruegel, C. (eds.) Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12–16, 2015, pp. 1518–1529. ACM (2015)Google Scholar
  4. 4.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Proceedings of Advances in Cryptology EUROCRYPT 1999, Number 1592 in LNCS, pp. 223–238 (1999)Google Scholar
  5. 5.
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    Boneh, D.: The decision Diffie–Hellman problem. In: Proceedings of the Third International Symposium on Algorithmic Number Theory, ANTS-III, London, UK, pp. 48–63. Springer (1998)Google Scholar
  7. 7.
    El Mrabet, N., Joye, M.: Guide to Pairing-Based Cryptography. CRC Press, Boca Raton (2017)zbMATHGoogle Scholar
  8. 8.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. STOC 9, 169–178 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Gentry, C.: A fully homomorphic encryption scheme. Ph.D. thesis, Stanford University (2009)Google Scholar
  10. 10.
    Bianchi, T., Piva, A., Barni, M.: On the implementation of the discrete Fourier transform in the encrypted domain. IEEE Trans. Inf. Forensics Secur. 4(1), 86–97 (2009)CrossRefGoogle Scholar
  11. 11.
    Aguilar-Melchor, C., Gaborit, P., Herranz, J.: Additively homomorphic encryption with d-operand multiplications. In: Advances in Cryptology—CRYPTO 2010, pp. 138–154. Springer (2010)Google Scholar
  12. 12.
    Lauter, K., López-Alt, A., Naehrig, M.: Private computation on encrypted genomic data. In: International Conference on Cryptology and Information Security in Latin America, pp. 3–27. Springer (2014)Google Scholar
  13. 13.
    van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully homomorphic encryption over the integers. In: Advances in cryptology—EUROCRYPT 2010, pp. 24–43. Springer (2010)Google Scholar
  14. 14.
    Smart, N.P., Vercauteren, F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: International Workshop on Public Key Cryptography, pp. 420–443. Springer (2010)Google Scholar
  15. 15.
    Naehrig, M., Lauter, K.E., Vaikuntanathan, V.: Can homomorphic encryption be practical? In: ACM CCSW, pp. 113–124. ACM (2011)Google Scholar
  16. 16.
    Gentry, C., Halevi, S., Smart, N.P.: Fully homomorphic encryption with polylog overhead. In: Advances in Cryptology—EUROCRYPT 2012, pp. 465–482. Springer (2012)Google Scholar
  17. 17.
    Gentry, C., Halevi, S.: Fully homomorphic encryption without squashing using depth-3 arithmetic circuits. In: 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS), pp. 107–109. IEEE (2011)Google Scholar
  18. 18.
    Coron, J.-S., Naccache, D., Tibouchi, M.: Public key compression and modulus switching for fully homomorphic encryption over the integers. In: Advances in Cryptology—EUROCRYPT 2012, pp. 446–464. Springer (2012)Google Scholar
  19. 19.
    Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. IACR Cryptol. ePrint Arch. 2012, 144 (2012)Google Scholar
  20. 20.
    Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Advances in Cryptology—CRYPTO 2013, pp. 75–92. Springer (2013)Google Scholar
  21. 21.
    Bos, J.W., Lauter, K., Loftus, J., Naehrig, M.: Improved security for a ring-based fully homomorphic encryption scheme. In: International Conference On Cryptography and Coding. Springer (December 2013)Google Scholar
  22. 22.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) Fully homomorphic encryption without bootstrapping. TOCT 6(3), 13 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: Proceedings of the 5th Conference on Innovations in Theoretical Computer Science—ITCS 2014, pp. 1–12. ACM (2014)Google Scholar
  24. 24.
    Khedr, A., Gulak, G., Vaikuntanathan, V.: SHIELD: scalable homomorphic implementation of encrypted data-classifiers. IEEE Trans. Comput. 65, 2848–2858 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Doröz, Y., Sunar, B.: Flattening NTRU for evaluation key free homomorphic encryption. Cryptology ePrint Archive, Report 2016/315 (2016)Google Scholar
  26. 26.
    Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: Faster fully homomorphic encryption: bootstrapping in less than 0.1 seconds. In: Advances in Cryptology—ASIACRYPT 2016—22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part I, pp. 3–33 (2016)Google Scholar
  27. 27.
    Armknecht, F., Sadeghi, A.-R.: A new approach for algebraically homomorphic encryption. IACR Cryptol. ePrint Arch. 2008, 422 (2008)Google Scholar
  28. 28.
    Guruswami, V., Sudan, M.: Improved decoding of Reed–Solomon and algebraic-geometric codes. In: 39th Annual Symposium on Foundations of Computer Science, 1998. Proceedings, pp. 28–37. IEEE (1998)Google Scholar
  29. 29.
    Augot, D., Finiasz, M.: A public key encryption scheme based on the polynomial reconstruction problem. In: Advances in Cryptology—EUROCRYPT 2003, pp. 645–645 (2003)Google Scholar
  30. 30.
    Kiayias, A., Yung, M.: Directions in polynomial reconstruction based cryptography. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 87(5), 978–985 (2004)Google Scholar
  31. 31.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM) 56(6), 34 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    Lyubashevsky, V., Peikert, C., Regev, O.: Advances in Cryptology—EUROCRYPT 2010: 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, French Riviera, May 30–June 3, 2010. Proceedings, Chapter On Ideal Lattices and Learning with Errors over Rings, pp. 1–23. Springer, Berlin (2010)Google Scholar
  33. 33.
    Guillevic, A.: Arithmetic of pairings on algebraic curves for cryptography. Theses, Ecole Normale Supérieure de Paris - ENS Paris (December 2013)Google Scholar
  34. 34.
    Guillevic, A.: Comparing the pairing efficiency over composite-order and prime-order elliptic curves. In: Applied Cryptography and Network Security—11th International Conference, ACNS 2013, Banff, AB, Canada, June 25–28, 2013. Proceedings, pp. 357–372 (2013)Google Scholar
  35. 35.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptol. 23(2), 224–280 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    Naehrig, M., Niederhagen, R., Schwabe, P.: New software speed records for cryptographic pairings. In: Abdalla, M., Barreto, P.S.L.M. (eds.) Progress in Cryptology—LATINCRYPT 2010, First International Conference on Cryptology and Information Security in Latin America, Puebla, Mexico, August 8–11, 2010, Proceedings, Volume 6212 of Lecture Notes in Computer Science, pp. 109–123. Springer (2010)Google Scholar
  37. 37.
    Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theory 56(1), 455–461 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Enge, A., Milan, J.: Security, Privacy, and Applied Cryptography Engineering: 4th International Conference, SPACE 2014, Pune, India, October 18–22, 2014. Proceedings, Chapter Implementing Cryptographic Pairings at Standard Security Levels, pp. 28–46. Springer, Cham (2014)Google Scholar
  39. 39.
    Azarderakhsh, R., Fishbein, D., Grewal, G., Hu, S., Jao, D., Longa, P., Verma, R.: Fast software implementations of bilinear pairings. IEEE Trans. Dependable Secur. Comput. 14(6), 605–619 (2017)CrossRefGoogle Scholar
  40. 40.
    Mitsunari, S.: A fast implementation of the optimal ate pairing over BN curve on intel haswell processor. IACR Cryptol. ePrint Arch. 2013, 362 (2013)Google Scholar
  41. 41.
    Aranha, D.F., Barreto, P.S.L.M., Longa, P., Ricardini, J.E.: The realm of the pairings. In: International Conference on Selected Areas in Cryptography, pp. 3–25. Springer (2013)Google Scholar
  42. 42.
    Zavattoni, E., Perez, L.J.D., Mitsunari, S., Sánchez-Ramí-rez, A.H., Teruya, T., Rodrí-guez-Henrí-quez, F.: Software implementation of an attribute-based encryption scheme. IEEE Trans. Comput. 64(5), 1429–1441 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  43. 43.
    Bonnoron, G., Fontaine, C., Gogniat, G., Herbert, V., Lapôtre, V., Migliore, V., Roux-Langlois, A.: Somewhat/Fully Homomorphic Encryption: Implementation Progresses and Challenges, pp. 68–82. Springer, Cham (2017)zbMATHGoogle Scholar
  44. 44.
    Albrecht, M., Bai, S., Ducas, L.: A subfield lattice attack on overstretched NTRU assumptions: cryptanalysis of some FHE and Graded Encoding Schemes. Cryptology ePrint Archive, Report 2016/127 (2016)Google Scholar
  45. 45.
    Kirchner, P., Fouque, P.-A.: Comparison between Subfield and Straightforward Attacks on NTRU. Cryptology ePrint Archive, 2016/717 (2016)Google Scholar
  46. 46.
    Migliore, V., Bonnoron, G., Fontaine, C.: Determination and exploration of practical parameters for the latest Somewhat Homomorphic Encryption (SHE) Schemes. Working paper or preprint (October 2016)Google Scholar
  47. 47.
    Aguilar-Melchor, C.: Private CommunicationGoogle Scholar
  48. 48.
    Chen, H., Laine, K., Player, R.: Simple encrypted arithmetic library-seal v2. 1. IACR Cryptology ePrint Archive, 2017:224 (2017)Google Scholar
  49. 49.
    Galbraith, S., Hess, F., Vercauteren, F.: Hyperelliptic pairings. Pair. Based Cryptogr. Pair. 2007, 108–131 (2007)MathSciNetzbMATHGoogle Scholar
  50. 50.
    Kim, T., Barbulescu, R.: Extended tower number field sieve: a new complexity for the medium prime case. In: Annual Cryptology Conference, pp. 543–571. Springer (2016)Google Scholar
  51. 51.
    Hitt, L.: On the minimal embedding field. Pair. Based Cryptogr. Pair. 2007, 294–301 (2007)MathSciNetzbMATHGoogle Scholar
  52. 52.
    Lenstra, A.K., Lenstra Jr., H.W., Manasse, M.S., Pollard, J.M.: The number field sieve. In: The Development of the Number Field Sieve, pp. 11–42. Springer (1993)Google Scholar
  53. 53.
    Menezes, A., Sarkar, P., Singh, S.: Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography. In: Proceedings of Mycrypt (2016)Google Scholar
  54. 54.
    Barbulescu, R., Duquesne, S.: Updating key size estimations for pairings. Cryptology ePrint Archive, Report 2017/334, (2017).
  55. 55.
    Duquesne, S., El Mrabet, N., Haloui, S., Rondepierre, F.: Choosing and generating parameters for low level pairing implementation on BN curves (2015)Google Scholar
  56. 56.
    Khandaker, Md.A.-A., Nanjo, Y., Ghammam, L., Duquesne, S., Nogami, Y., Kodera, Y.: Efficient optimal ate pairing at 128-bit security level. In: International Conference in Cryptology in India, pp. 186–205. Springer (2017)Google Scholar
  57. 57.
    Aranha, D.: Pairings are not dead, just resting. 21st Workshop on Elliptic Curve Cryptography, (November 2017)
  58. 58.
    Che, H., Han, K., Zhicong, H., Jalali, A., Laine, K.: Simple Encrypted Arithmetic Library—SEAL (v2.3.0). Technical report (December 2017)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  • Vincent Herbert
    • 1
  • Bhaskar Biswas
    • 2
  • Caroline Fontaine
    • 2
  1. 1.CEA Paris-SaclayParisFrance
  2. 2.CNRS UMR 6285 Lab-STICC and IMT-AtlantiqueBrestFrance

Personalised recommendations