A Study on Partially Homomorphic Encryption

2023 17th International Conference on Ubiquitous Information Management and Communication (IMCOM) | 978-1-6654-5348-6/23/$31.00 ©2023 IEEE | DOI: 10.1109/IMCOM56909.2023.10035630

Jihyeon Ryu Keunok Kim Dongho Won*

Department of Computer Science Department of Electrical Department of Computer Science
and Engineering and Computer Engineering and Engineering
Sungkyunkwan University Sungkyunkwan University Sungkyunkwan University
Suwon, Korea Suwon, Korea Suwon, Korea
jhryu@[Link] kimkeunok@[Link] dhwon@[Link]

Abstract—Recently, data experts can obtain a large amount Benaloh [2], and Paillier [3] have more reasonable computa-
of data with the development of the Internet. When computing tional speed. However, the size of their key and the size of the
such data, cloud services that do not use the personal device’s ciphertext are important issues for devices with small memory.
memory are becoming popular. However, storing sensitive data as
a source in the cloud carries the risk of hijacking. To compensate We describe the size of the secure key pair and the size
for this, homomorphic encryption, which encrypts and stores of the ciphertext for the use of various partial homomorphic
sensitive data, and can safely operate in an encrypted state, is encryption methods. We compare the PHE of the four methods
being studied. In this paper, we analyze four methods of partially Paillier [3], ElGamal [1], ASHE [4], and Symmetria [5]. We
homomorphic encryption among homomorphic encryption meth-
analyze their security strength and show that they can work
ods. We compare and analyze the key size and ciphertext size
of four partially homomorphic encryptions, Paillier, ElGamal, safely on small devices.
ASHE, and Symmetria. We describe the paper as follows. Section II introduces the
Index Terms—Homomorphic Encryption, Cryptosystem, Secu- typical encryption method. In section III, we describe the types
rity Strength of partial homomorphism ciphers. Section IV analyzes the key
pair size and ciphertext size suitable for partially homomorphic
I. I NTRODUCTION encryption, and we conclude in Section V.
Nowadays, a lot of data is available on the Internet, and the
ways in which this data is statistically processed and stream- II. P RELIMINARIES
lined are increasing. In particular, as such data increases, the In this section, we introduce popular encryption algorithms
demand for cloud computing that uses external computing that use similar difficulties to partially homomorphic encryp-
power rather than personal devices is increasing. However, tion. Representative encryption algorithms include RSA [6],
large amounts of data can also contain sensitive data. ECC [7], and AES [9].
Storing sensitive data in the cloud raises privacy concerns.
In general, if it is encrypted and stored in the cloud, calcula- A. RSA
tions cannot be performed in the cloud. In general, encrypted
data needs to be decrypted, calculated, and then encrypted The RSA cipher is a cryptography named after the author,
again. At this time, the data is not protected in the decrypted created by Ron Rivest, Adi Shamir, and Leonard Adleman
state. A method to compensate for this is the homomorphic in 1978 [6], and is one of the public key cryptography
encryption method. A homomorphic encryption method has systems. RSA is known as the first algorithm capable of digital
been proposed to protect data in the operating state. signature as well as encryption. The digital signature function
Homomorphic encryption is divided into Fully Homomor- of RSA is used for e-commerce that requires authentication.
phic Encryption (FHE) and Partially Homomorphic Encryption It is an encryption method based on the fact that the product
(PHE) methods. FHE can perform all addition and multiplica- of two large numbers is difficult to factorize.
tion operations in an encrypted state. Conversely, PHE repre- When there are public key n = p ∗ q (where p and q are
sents a system that allows for one addition or multiplication large prime numbers) and e, private key d (such that d ∗ e =
operation. 1 mod ϕ(n)), and a plaintext message m, RSA encryption
Because FHE is computationally expensive, it cannot be and decryption works as follows.
used in devices with small memory. Also, since the operation
1) Encryption
speed is slow, it cannot be used even when fast speed is
important. Classic and well-used PHEs such as ElGamal [1], c = me mod n (1)
This work was supported by an Institute of Information & Communications
Technology Planning Evaluation (IITP) grant funded by the Korea government
2) Decryption
(MSIT) (No. 2021-0-00558, Development of National Statistical Analysis
System using Homomorphic Encryption Technology) m = cd mod n (2)

978-1-6654-5348-6/23/$31.00 ©2023 IEEE

Authorized licensed use limited to: Sungkyunkwan University. Downloaded on March 27,2023 at [Link] UTC from IEEE Xplore. Restrictions apply.
B. ECC For encryption, we calculate 9 rounds of the above four
Elliptic curve cryptography (ECC) is a public key cryptogra- steps, and the last round performs the remaining operations
phy based on elliptic curve theory. The encryption method us- except for the Mix Columns operation.
ing elliptic curves was independently proposed by Neil Koblitz When decryption, we use the Inverse S-box in the SB
and Victor Miller in 1985 [7], [8]. The most representative stage and use the ARK key in the reverse order. SR is also
advantage of elliptic curve cryptography over existing public substituted in the opposite direction, and the inverse of the
key cryptography such as RSA and Elgamal cryptography MC recursive matrix is used.
is that it provides a similar level of security while using a III. PARTIALLY H OMOMORPHIC E NCRYPTION
shorter key. Due to these advantages, it is currently used as Although there are various partial homomorphic encryption
a cryptographic method of the Bitcoin blockchain. It is an methods, in this section we discuss Paillier’s encryption [3]
encryption method based on the fact that the product of two and ElGamal [1], which are representative partial homomor-
large numbers is difficult to factorize. phic encryption, and the recently proposed ASHE [4] and
Basically, the ECC encryption method operates on the Symmetria [5]. The details are as follows.
coordinate plane y 2 = x3 + ax + b, which is the x value and
the y value of the elliptic curve, where a and b are constant, A. Paillier
and satisfy the equation 4a3 + 27b2 ̸= 0. At this time, the The Paillier cryptosystem is an asymmetric encryption al-
private key d is generated with a random number generator gorithm for public key cryptography invented and named after
with a prime number smaller than P , and the public key Q Pascal Paillier in 1999 [3]. Additive homomorphic encryption
is Q(x, y) = dG(x0 , y0 ), that is, by addition operation on is possible and was first proposed in Eurocrypt. The cryp-
the elliptic curve. When we know G and Q it is difficult to tosystem is an additive homomorphic encryption. A secret key
know the value d. Given plaintext m, ECC encryption and was conceived using the Carmichael function, and [[w]] was
decryption works as follows. defined in [2].
The public key n = p ∗ q, and the private key λ means
1) Encryption
λ(n) to which the Carmichael function λ is applied. At this
generate random value k (3) time, assuming that g has a non-zero multiple of n as its order,
encryption and decryption can be performed as follows.
public key Q = dG (4)
1) Encryption
y1 = kG (5) C = gm rn mod n2 (11)
y2 = m + kQ (6) 2) Decryption

c = (y1 , y2 ) (7) m = L(Cλ )/L(gλ ) mod n (12)

λ 2 λ 2
2) Decryption such that Cλ = C mod n , gλ = g mod n and
L(u) = (u − 1)/n.
m = y2 − (d ∗ y1 ) (8)
B. ElGamal
= y2 − (d ∗ (kG)) (9)
ElGamal encryption is a public key encryption method
= m + kQ − k ∗ (dG) (10) based on Diffie-Hellman key exchange, devised in 1985 by
Taher ElGamal [1]. It is an encryption method based on the
C. AES problem that it is difficult to obtain x of the discrete log
AES stands for Advanced Encryption Standard and is an equation β = αx when α and β are known.
encryption method established by the National Institute of The public key is prime number p, α, and β, where β =
Standards and Technology (NIST) in 2001 [9]. On November αx is satisfied. x becomes the private key. Assuming that the
26, 2001, AES was promulgated as the US Federal Information message is m, ElGamal’s encryption and decryption methods
Processing Standard (FIPS-197), and it is widely used world- are as follows.
wide due to its high safety and speed. Due to these advantages, 1) Encryption
it is also widely used for ransomware. It consists of a block
Select random integer k ∈ [0, p − 1] (13)
cipher format consisting of the following four steps.
k
• Substitute Bytes (SB): Blocks are exchanged in the form c1 = α mod p (14)
of Byte units using S-box. c2 = β k m mod p (15)
• Shift Rows (SR): Shifts one row to another.
• Mix Columns (MC): Changes all bytes in a column by 2) Decryption
replacing each Byte in a column using a circular matrix. s = cx1 = β k mod p (16)
• Add Round Key (ARK): XORs a part of the extended
m = c2 s−1 mod p (17)
key and the current block by bit.

Authorized licensed use limited to: Sungkyunkwan University. Downloaded on March 27,2023 at [Link] UTC from IEEE Xplore. Restrictions apply.
 TABLE I
C OMPARABLE STRENGTHS [14]

Security strength Symmetric key algorithms DSA RSA ECC

≤ 80 2TDEA L = 1024, N = 160 k = 1024 f = 160 - 223
112 3TDEA L = 2048, N = 224 k = 2048 f = 224 - 255
128 AES-128 L = 3072, N = 256 k = 3072 f = 256 - 383
192 AES-192 L = 7680, N =384 k = 7680 f = 384 - 511
256 AES - 256 L = 15360, N = 512 k = 15360 f = 512+

1) EC-ElGamal: EC-ElGamal is the ElGamal method us- 1) Encryption

ing the difficulty of elliptic curve cryptography. When the
public key is A = aP , the private key is a, and the message Enck (m, i) = ((m − Fk (i) + Fk (i − 1)) mod n, {i})
is m, encryption and decryption are performed as follows. (28)
2) Decryption
1) Encryption X
Deck (c, S) = (c+ (Fk (i)−Fk (i−1))) mod n (29)
Select random integer k (18) i∈S

K = kP (19) D. Symmetria

C = kA + m (20) Symmetria is a symmetric encryption method opposite to

Paillier, ElGamal, and ASHE described above [5]. Symmetria
2) Decryption proposed in VLDB 2020 conference by Savvides et al., is
S = aK (21) created considering both symmetric additive homomorphic en-
cryption (SAHE) and symmetric multiplicative homomorphic
m=C −S (22) encryption (SMHE), and is more cost-effective than the Paillier
2) CRT-ElGamal: CRT-ElGamal is the ElGamal method encryption.
using the Chinese Remainder Theorem [11], [12]. n is prime, Fk (x) is a pseudo random function that uses value k and
and h = g r mod n is public key, r is private key, for genera- x as inputs, and it is assumed that the set I is mapped to Zn .
tor g and i = 1, ..., t, di that gcd (di , dj ) = 1 is satisfied, and Symmetria SAHE encryption and decryption are performed as
the generator and di are public. When m = {m1 , ..., mt } is follows.
given as a message, encryption and decryption are performed 1) Encryption
as follows.
c = (m + Fk (r)) mod N, [r], ϕ (30)
1) Encryption
At this time, the form of c is {v, Ip , In }.
Select random integer ki i = 1, ..., t (23)
2) Decryption
C1i = g ki mod n (24) X X
m = (v + Fk (r1 ) + Fk (r2 )) mod N (31)
C2i = hki g mi mod n (25) r1 ∈Ip r2 ∈In

2) Decryption Fk (x) is a pseudo random function that uses value k and

x as inputs, and it is assumed that the set I is mapped to Zn .
−r
mi = CRT −1 [(logg ∗ C2i C1i mod n)] (26) Symmetria SMHE encryption and decryption are performed
t as follows.
X d d −1
that CRT −1 [Ci ] = Ci ( mod di ) mod d 1) Encryption
i=1
di di
(27) c = (m ∗ g Fk (r) ) mod N, [r], ϕ (32)
C. ASHE At this time, the form of c is {v, Ip , In }.
ASHE, which claims that the speed of additive homomor- 2) Decryption
phic encryption is faster than Paillier’s encryption system, is Y Y
an acronym for a new additively symmetric homomorphic m = (v ∗ g −Fk (r1 ) + g Fk (r2 ) ) mod N (33)
r1 ∈Ip r2 ∈In
encryption scheme [4]. It was proposed at the 2016 OSDI
conference by Papadimitriou et al. IV. A NALYSIS OF PHE
Fk (x) is a pseudo random function that uses k and x as
We estimate the secure key size and ciphertext size based
inputs, and it is assumed that the set I is mapped to Zn .
on FIPS [13], NIST 800–57 [14] for the introduced PHEs,
Encryption and decryption of ASHE is performed as follows.
Paillier, ElGamal, ASHE, and Symmetria. On this basis, we

Authorized licensed use limited to: Sungkyunkwan University. Downloaded on March 27,2023 at [Link] UTC from IEEE Xplore. Restrictions apply.
can choose a PHE that can be used even for low memory
devices.
Paillier says that encryption is not secure when we know p
and q of n = p ∗ q. This is similar to RSA safety. Since EC-
ElGamal and CRT-ElGamal are used based on large prime
numbers, they are the basis for choosing the key size similar
to the safety of ECC. As for both ASHE and Symmetria, are
similar to AES, safety increases in proportion to the size of
n. Table I provides details.
V. C ONCLUSION
In this paper, we analyzed a partially homomorphic encryp-
tion for use when performing an encryption operation in the
[Link] introduced the four methods of partial homomor-
phism, Paillier, Elgamal, ASHE, and Symmetria, compared
their security strength. The results of our research can also be
used to prevent path tracing by making it work by encrypting
it when operating on low-memory semiconductors.
ACKNOWLEDGMENT
This work was supported by an Institute of Information &
Communications Technology Planning Evaluation (IITP) grant
funded by the Korea government (MSIT) (No. 2021-0-00558,
Development of National Statistical Analysis System using
Homomorphic Encryption Technology)
R EFERENCES
[1] T. ElGamal, “A public key cryptosystem and a signature scheme based
on discrete logarithms.” IEEE transactions on information theory, 31(4),
pp. 469–472, 1985.
[2] J. D. C. Benaloh, “Verifiable secret-ballot elections.” Yale University,
1987.
[3] P. Paillier. “Public-key cryptosystems based on composite degree residu-
osity classes.” In International conference on the theory and applications
of cryptographic techniques, pp. 223–238, 1999.
[4] A. Papadimitriou, R. Bhagwan, N. Chandran, R. Ramjee, A. Haeberlen,
H. Singh, A. Modi, S. Badrinarayanan, “Big data analytics over encrypted
datasets with seabed.” In 12th USENIX symposium on operating systems
design and implementation (OSDI 16), pp. 587–602, 2016.
[5] S. Savvides, D. Khandelwal, P. Eugster, “Efficient confidentiality-
preserving data analytics over symmetrically encrypted datasets.” Proceed-
ings of the VLDB Endowment, 13(8), pp. 1290–1303, 2020.
[6] R. L. Rivest, A. Shamir, L. Adleman, “A method for obtaining digital
signatures and public-key cryptosystems.” Communications of the ACM,
21(2), pp. 120–126, 1978.
[7] N. Koblitz, “Elliptic curve cryptosystems.” Mathematics of computation,
48(177), pp. 203–209, 1987.
[8] V. S. Miller, “Use of elliptic curves in cryptography.” In Conference on
the theory and application of cryptographic techniques, pp. 417–426, 1985.
[9] J. Daemen, V. Rijmen, “AES proposal: Rijndael”. 1999.
[10] N. Koblitz, “Elliptic curve cryptosystems.” Mathematics of computation,
48(177), pp. 203–209, 1987.
[11] M. T. Ibn Ziad, A. Alanwar, Y. Alkabani, M. W. El-Kharashi and H.
Bedour, “Homomorphic Data Isolation for Hardware Trojan Protection.”
IEEE Computer Society Annual Symposium on VLSI, pp. 131–136, 2015.
[12] Y. Hu, W. J. Martin, B. Sunar, “Enhanced flexibility for homomorphic
encryption schemes via CRT.” In Applied Cryptography and Network
Security (ACNS), 2012.
[13] C. F. Kerry, C. R. Director, “Federal Information Processing Standards
Publication (FIPS PUB) 186–4” Digital Signature Standard (DSS), 2013.
[14] E. Barker, Q. Dang, “Recommendation for Key Management Part1:
General.”NIST Special Publication 800–57 part 1, revision 4. NIST, Tech.
Rep, 16. 2016.

Authorized licensed use limited to: Sungkyunkwan University. Downloaded on March 27,2023 at [Link] UTC from IEEE Xplore. Restrictions apply.