libshe

Symmetric somewhat homomorphic encryption library based on DGHV scheme.

Introduction

Homomorphic encryption is a kind of encryption that allows to execute functions over the ciphertexts without decrypting them. This library implements a symmetric variant of originally asymmetric somewhat homomorphic encryption scheme over the integers by van Dijk et al. DGHV10 using ciphertext compression techniques from CNT11. The symmetricity of the scheme means that only the private key is used to encrypt and decrypt ciphertexts. A relatively small public element, however, is used in homomorphic operations, but it is not a real public key.

Such scheme is useful in secure function evaluation setting, where a client encrypts an input to an algorithm using their private key, sends it to a server which executes an algorithm homorphically, and sends the output back to the client. The client then obtains the output of the algorithm by decrypting server response using the private key.

See the following diagram for visual explanation.

• Let f be an algorithm to be evaluated on a server.
• Let a[1], a[2], ... a[n] be inputs of f that client provides to the server.
• Let b[1], b[2], ... b[n] be inputs of f that server possesses.
• Let p be the client's private key, and x[0] be the corresponding public element

Status

Warning. This is experimental software. It is not to be used in mission-critical applications. Since the time this software was written, parameters of the underlying scheme were broken many times.

Installation

You can consult the .travis.yml for concrete installation commands on Debian-based systems.

Requirements

• gcc >= 4.8
• boost >= 1.55
• GMP >= 6.0.0
• lcov >= 1.11 (optional)

Building and installation

Build and install libshe.so library and headers:

make
sudo make install

You can also uninstall with

sudo make uninstall

Usage

Tests and benchmarks

Run tests:

make tests

Note. Running tests will compile sources with debug options. Do make clean before installing if tests were run previously.

Run benchmarks:

make benchmarks

Building your program

Use C++11 and link against GMP and Boost Serialization when building your program:

-std=c++11 -lgmp -lboost_serialization -lshe

Include libshe in your sources:

#include <she.hpp>

using she::ParameterSet;
using she::PrivateKey;
// ...

Example

The following example assumes a client and a server that are engaged in a two-party secure function evaluation protocol.

Client generates a parameter set:

const ParameterSet params = ParameterSet::generate_parameter_set(62, 1, 42);

Given these parameters, the encryption scheme exhibits following properties:

• Security level is (62-bit)
• At least 1 multiplication can be evaluated on every bit in the ciphertext
• The non-secure random number generator used in ciphertext compression is seeded with number 42

Client then constructs a private key object from generated parameters:

const PrivateKey sk(params);

Encrypts the plaintext:

const vector<bool> plaintext = {1, 0, 1, 0, 1, 0, 1, 0};
const auto compressed_ciphertext = sk.encrypt(plaintext);

Serializes and sends compressed ciphertext to server.

Upon obtaining the compressed ciphertext, Server expands it to perform operations:

const auto ciphertext = compressed_ciphertext.expand();

Executes the algorithm (here negation of an 8-bit input)

const vector<bool> another_plaintext = {1, 1, 1, 1, 1, 1, 1, 1};
const auto response = ciphertext ^ another_plaintext;

Serializes the output and sends it back to the client.

Client decrypts the response and obtains the algorithm output in plaintext:

const auto decrypted_response = sk.decrypt(response);
const vector<bool> expected_result = {0, 1, 0, 1, 0, 1, 0, 1};
assert(decrypted_response == expected_result);

Note that ciphertext can be compressed only during encryption on the client side, so cost for Server → Client communication is significantly higher than that of Client → Server communication.

Available homomorphic operations

• Bitwise addition (XOR): c1 ^ c2
• Bitwise multiplication (AND): c1 & c2
• Equality comparison: c0.equal({c1, c2, ..., cn})..
• Selection of i-th ciphertext: c0.select({c1, c2, ..., cn}).

License

The code is released under the GNU General Public License v3.0.

Copyright © 2015 Bogdan Kulynych. hello [at] bogdankulynych.me