An Efﬁcient Solution Towards Secure Homomorphic Symmetric Encryption Algorithms

. In this paper, we consider Homomorphic Encryption (HE) to process over encrypted data in order to achieve user privacy. We present a framework solution to provide a high level of security for the symmetric HE algorithms. The proposed solution introduces a dynamic structure and dynamic di ﬀ usion’s primitives that enhance existing symmetric HE algorithms and overcome their weaknesses. We apply this solution to a well known symmetric homomorphic approach, the PORE (Polynomial Operation for Randomization and Encryption) approach. The security analysis of the proposed solution shows that it ensures a high level of security without performance degradation. It is also evaluated against di ﬀ erent attacks. This leads to secure and e ﬃ cient HE Algorithms for practical implementations.


Introduction
After the significant changes in modern systems, providing an implementation with a high level of security becomes a big challenge. In this paper, we ensure users privacy by securing data processing. This can be attained by using a new kind of encryption called HE that permits third parties to process over encrypted data without the need of decrypting cipher-texts. HE is required in several real world modern applications such as Cloud Computing [1], e-Vote applications [2], Medical Applications [3], etc. As an implementation of HE in modern real world applications is given in Figure 1, an illustration of Cloud querying using HE is given in Figure 2. (1) * e-mail: khalil.hariss@net.usj.edu.lb * * e-mail: hn49@aub.edu.lb * * * e-mail: Samhat@ul.edu.lb * * * * e-mail: maroun.chamoun@usj.edu.lb where x, y ∈ Z N , E is the encryption function and K is a secret key. Thus, the main idea of FHE is that any specified party (could be untrusted) may compute E(x + y) and E(x × y) from E(x) and E(y) without knowing any information about x and y. Different FHE algorithms are given in the literature [4] and decomposed into asymmetric algorithms such as RSA (Rivest, Shamir, Adelman) [5], DGHV (Dijk, Gentry, Halevi, Vaikuntanathan) [6] , BGV (Brakerski, Gentry, Vaikuntanathan) [7], etc and symmetric schemes such as NOHE (Not Operation for Homomorphic Encryption) [1], DF (Domingo Ferrer) [8], etc. The asymmetric ones suffer from computational complexity and high storage overhead, while the symmetric ones suffer from weak immunity against attacks and especially chosen and known plain-texts ones, thus designing and implementing a FHE practical for real world application is a real challenge. In our previous work [9], the MORE ap-proach was described and a dynamic platform (dynamic structure and dynamic diffusions primitives) is applied over it, giving birth to a new homomorphic encryption algorithm called the Enhanced MORE. Security analysis and performance of the Enhanced MORE in [9] has shown a high resistance to several attacks. In this paper, We extend the solution shown in [9] to PORE approach [10] to provide a new HE algorithm candidate that is based on different mathematical rules compared to MORE. In addition, the proposed solution called "Enhanced PORE" can overcome the different weaknesses of original PORE. Furthermore, a security analysis demonstrates that the proposed solution ensures a high level of security without performance degradation as the "Enhanced MORE". This leads to providing a second secure and efficient HE algorithm candidate for practical application. The rest is organized as follows, Section 2 explains PORE approach. Section 3 describes the dynamic implementation listed in [9] over the PORE approach. The security analysis and performance evaluation of the resultant algorithm (Enhanced PORE) are given in Section 4 with a comparison to PORE, MORE, Enhanced MORE, in term of execution time and storage overhead. Conclusions are presented in Section 5.

MORE And PORE Approaches
In this section, we give a brief explanation of the MORE Approach and a detailed one for the PORE approach.

Encryption Process
Fully Homomorphism verified by a matrix calculations

MORE Approach
The MORE approach is investigated in [9,10], based on invertible matrix equation, and summarized in Tab.1.

PORE Approach
PORE Approach stands for Polynomial Operations for Randomization and Encryption [10]. It is a FHE algorithm that satisfies both addition and multiplication properties. The proposed algorithm is based on the following operations:

Encryption Parameters
The symmetric key (v 1 , v 2 ) is selected from secret large integers v 1 and v 2 mod(N). Using this key, the public polynomial PP(v) of variable v is computed to calculate the public parameters b and c: and, c = (v 1 v 2 ) mod(N) b and c are known by the third party to perform homomorphic computations over encrypted data.

Encryption Process
The encryption of a plain-text x i in Z N is done as follows: -The sender picks a large random integer r i mod(N) for a given plain-text x i and should solve a linear system with two unknowns a i and d i : -The encryption of x i is E(x i )=(a i , d i ) and calculated as follow: As we know the division in a ring structure is not supported, we will develop during this work a new algorithm that makes the encryption possible.

Decryption Process
Having the secret key (a i , d i ), the receiver can recover the plain-text by applying this decryption process:

Multiplication
We recall the two public parameters b = −(v 1 + v 2 )mod(N) and c = (v 1 v 2 )mod(N) known by the third party introduced in (3). Departing from a cipher-text (A, D) = ((a 1 +d 1 ))(a 2 +d 2 )−a 1 a 2 (1+b)−d 1 d 2 , d 1 d 2 −a 1 a 2 c). By applying the PORE decryption process listed in Equation (6) on (A, D) we obtain: We can conclude that the PORE homomorphic Multiplication is given by

Dynamic Implementation
A dynamic implementation similar to the one applied in [9] over MORE approach, is used in this paper to enhance the PORE approach. A detailed explanation of this framework is explained in the next subsections.

Enhanced PORE Implementation
The proposed solution employs a dynamic structure in addition to dynamic diffusion primitives. Figure 3 shows the different steps of Enhanced PORE algorithm that are explained below.

Permutation Box
Using DK p , a Permutation Box (PBox) is generated and applied over the input plain-text. PBox creation is done similar to [11], where a key dependent permutation technique is employed that preserves homomorphic properties. The homomorphic behavior is shown by using a PBox called π of dimension N defined by: π=[p i ] 1≤i≤N . Two plain-texts X and Y of dimension N are given: Suppose that is a law defined over the plain-texts by: Since π(X Y)=π(X) π(Y), We can deduce the homomorphic behavior of π.

Dynamic Block Encryption
As shown in Figure 3, the permuted plain-texts are decomposed into a G blocks, where G = l n , and n is the block size. Each block of dimension n is encrypted with PORE approach using an encryption key (v 1 , v 2 ) chosen dynamically from a secret key bank based on a dynamic selection algorithm.

Secret Pseudo-Random Sequence Generation
Based on equation (4), the encryption of a plain-text x i requires a random integer r i . Thus, we should generate blocks of pseudo-random integers for the encryption of plain-texts blocks. DK d can be employed as a seed for a cipher algorithm (like RC4) to build a secret sequence R of l random integers. Similar to the permuted plain-texts, the sequence R is decomposed into G blocks where G = l n . To perform encryption using Enhanced PORE each block of random integers is used to encrypt a block of plain-texts as shown in Figure 3.

Secret Key Bank Generation
As stated above, a key is chosen dynamically from a secret key bank during the dynamic encryption of each block. Based on equation (5), any key (v 1 , v 2 ) is built such that (v 1 − v 2 ) is invertible by the multiplicative law in Z N . We propose a generation algorithm to create a shared secret key bank having the following form The two algorithms 1 and 2 represent the generation of k th secret key of the bank (v k 1 , v k 2 ). The generation of H keys requires the repetition of these two algorithms H iterations. The two end hosts start by generating a secret sequence s of length αH. The secret parameter v 1 k is generated based on the pseudo code of algorithm 1. v k 1 = s i 8: return (v k 1 , s) 9: end procedure Once v 1 k is chosen as in algorithms 1, v 2 k is chosen such generation is based on the pseudo code of algorithm 2. In the Pseudo-Code of algorithm 2, after generating the secret sequence s listed in algorithm 1, the two end hosts pick from it a parameter u(k, j) to build an invertible multiplicative element (v 1 and v 1 k are ready, v 2 k is simply calculated. In general the number of invertible multiplicative elements in Z N is limited. This leads to a limited number of encryption keys (v k 1 , v k 2 ), but our key generation dynamic approach strengthens this implementation, because in each session the H secret keys are generated dynamically in different order based on DK.

Dynamic Key Selection algorithm
The DK selection is given in Figure 4 and can be summarized by: Based on DK s and a stream cipher algorithm like RC4, another permutation box ∆ = {δ i , i = 1, 2, 3, ..., G} is generated. (G is the number of blocks, and δ i ∈ {1, 2, 3, ..., H}).
if mod(product, i) = 0 then 10: For the k th block, the index δ k is chosen from ∆ and based on it, a secret key (v 1 δk , v 2 δk ) from the secret key bank is chosen.

Decryption Process
As any symmetric scheme, the decryption process is the inverse of the encryption. Having DK and IV, all secret parameters can be generated. The decryption process is based on the following steps: 1. First Step Based on DK s and DK d , the receiving end host can pick for each block number k the key (v 1 k , v 2 k ), such that 1 ≤ k ≤ G.

Second
Step After retrieving the decryption key for each block, the receiving end host applies the equation (6), to perform the decryption process.

Third
Step The receiving end host generates the inverse secret permutation vector π −1 by using DK p and the following transformation:

Security Analysis and Performances
To evaluate the performance of the Enhanced PORE, the same security analysis given in [9] is implemented. A simulation under Matlab is done where a set of plain-texts in Z 256 is taken . A comparison between the Enhanced PORE, PORE, MORE and Enhanced MORE is done in terms of execution time and performances. In the upcoming results, the Enhanced PORE cipher-text is the couple (a, d) where a is known as first cipher and d the second one.

Resistance Against Statistical Attacks
To resist against statistical attacks, the proposed scheme should ensure the Uniformity and Independence criterion.

Uniformity Property
The Uniformity criterion can be examined by applying the two different tests given in Tab. 2.  Distribution Test: a Gaussian plain-text distribution with a mean value equal to 128 and standard deviation equal to 16 is taken in Figure 5 (a), and the distribution of the obtained set of cipher-texts is illustrated in Figure 5 (b), (c).
Comparing the different results of Figure 5, the cipher-text distribution after applying the encryption process is close to uniform distribution. As a conclusion the Enhanced PORE can strongly resist against any statistical attack. Entropy Test: The entropy of a source message m is given in Tab. 2, where p(m i ) represents the probability of occurrence of symbol m i and 2 M is the total states of information source. A truly random source entropy is equal to M. In our implementation the cipher values are in Z 256 , the ideal value of the entropy should be equal to 8 (2 8 = 256).
The entropy values for 10000 cipher-texts or iterations has shown that the mean values are close to 8 for both ciphers (mean1 = 7.936 and mean2 = 7.9321) with a low standard deviations (S td1 = 0.005153 and S td2 = 0.0116). The resultant cipher-texts of our scheme are considered a truly random source.

Independence Property
To examine Independence Property, we need to validate the three different tests given in Tab. 3.
Recurrence Test: Figure 6 shows the correlation between x i (t) and x i (t +1) for the original and the encrypted data respectively. Figure 6 (a) represents the correlation among a set of plain-texts with mean value equal to 128 and a low standard deviation equal to 16. Figure 6 (b) and (c) shows the variation between x i (t) and x i (t + 1) for the Enhanced PORE. The cipher-text space presents a high level of randomness, and no clear pattern is shown after the encryption process. Correlation Test: Correlation is calculated as given in Tab x (i,1) , ...x (i,m) and its delayed version x i (t) = x (i,t) , ...x (i,mt) Randomness Correlation Test ρ x,y = cov(x, y) Difference Test Difference at the bit level between cipher-texts and plain-texts Independence with low standard deviations(S td1 = 0.01779 and S td2 = 0.01756), which means that the cipher-texts of the proposed algorithm do not reveal any information about the plain-texts. Difference Test: To evaluate this difference, in our simulation we calculate the difference at the bit level between 10000 cipher-texts and plain-texts. The different simulations have shown mean values close to 50 (Mean1 = 50.004 and Mean2 = 50.0005) with low standard deviations (S td1 = 0.312 and S td2 = 0.3177). The Enhanced PORE algorithm satisfies the difference property and presents a high level of independency between the cipher-texts and the plain-texts.

Resistance Against Several Kinds of Key Attacks
The main purpose of this section is to show that our encryption algorithm can resist against several types of key attacks.

Weak Keys
In this dynamic implementation, the proposed key derivation function produces a set of dynamic sub-keys with a high degree of randomness. Indeed, Different cipher layers such as the permutation layer and the diffusion layer are related to the dynamic key to achieve the desirable cryptographic performance. Suppose, for example, a weakness exists in any dynamic key, it will not alter the previous and the next processed data. As a conclusion, the used dynamic approach provides a good resistance degree against the weak keys.

Key Sensitivity
The Key Sensitivity (KS) refers to a big change in the cipher-text due to a slight change in the encryption key. Let all the elements of K ' w be equal to those of K w , except a random Least Significant Bit (LSB) of a random byte, and T b being the length of the original and cipher packets (in bits), the sensitivity is calculated as follows: A good cryptosystem should give a key sensitivity close to 50. KS test is done for 10000 iterations; the mean values are also close to 50 (mean1 = 50.0025 and mean2 = 49.999) with a low standard deviations (S td1 = 0.3105 and S td2 = 0.3151). As a conclusion, the resultant algorithm provides a high resistance against related key attacks.

Enhanced PORE Zero Homomorphic Test
The PORE encryption equations given in (5) impose that during the random pick of r i , it should always be different from the plain-text x i ; otherwise the encryption is useless because the second cipher d i will be equal to x i (i.e first cipher a i should always be different from zero). A constraint is added to solve this limitation and indicates that r i is always different than a i . The remaining problem can simply be discovered by focusing on homomorphic operations of equations (7) and (8). As an example in the homomorphic addition listed in (7), it is sure that a 1 0 and a 2 0 but a 1 + a 2 0 is not guaranteed. The same problem exists in equation 8. To evaluate the effect of this vulnerability in Enhanced PORE, this test is proposed: two different vectors of plain-texts are taken, then encrypted using homomorphic Enhanced PORE. The two resultant cipher-texts are added and multiplied using homomorphic operations, and the probability that the first cipher is equal to zero is calculated. The test is done for 10000 iterations. The analysis of Figure 7, shows that the probability of the first cipher being equal to zero is negligible with a low standard deviations for homomorphic addition and multiplication. The investigated problem does not decrease the security performance of the Enhanced PORE since its occurrence is rare.

Performance Analysis
The performance of any crypto-system resides in its low storage overhead and latency. The performance evaluation of the two resultant algorithms is studied in the next subsections.

Storage Overhead
The new dynamic approach did not affect the storage overhead of the resultant algorithm (i.e the storage overhead of the PORE its Enhanced version is the same). The encryption of m bytes of plain-text using PORE or Enhanced PORE gives 2 × m bytes of cipher-text.  [9]. The execution time is studied by varying plaintexts vector size from 800 bytes to 8000 bytes with a step equal to 800, and measuring for each plaintext size the mean execution time for 10000 iterations as in [9]. The execution time is shown in Figure 8, where the PORE Approach at the block level is taking the lowest execution time, then comes the Enhanced PORE at the block level and its execution time is still much smaller than the PORE at the byte level, MORE and Enhanced MORE. The PORE Approach at the byte level is taking the highest execution time.

Enhanced MORE and Enhanced PORE comparison
The Enhanced MORE can be applied in a non trusted cloud scenario because it does not have any public parameters, while the Enhanced PORE should be applied in a trusted cloud scenario due to public parameters b and c. In term of storage overhead, the cipher-text size of the Enhanced MORE is related to the matrix dimension as explained in [9] (Given a plain-text of m bytes and a matrix of dimension n × n the output cipher is m × n), while the Enhanced PORE is fixed (plain-text of m bytes will output a cipher-text of 2 × m bytes).

Conclusion
Homomorphic encryption becomes an efficient solution for different modern systems and applications for preserving users privacy. Indeed, in this paper, we extend the previous solution of [9], design and realize a dynamic solution explained into the PORE approach towards overcoming its original vulnerability. According to the presented security analysis, Enhanced PORE with its dynamic approach has shown a high degree of security. Benefiting from its dynamic implementation, comes with using short encryption sessions and a dynamic p − boxes selection at the message level. A comparison between the Enhanced PORE and the Enhanced MORE is given in term of latency, security and storage overhead, which indicates that similar cryptographic and efficiency performances are obtained between them. Therefore, the main goal of this paper is to provide a new HE algorithm candidate.