HAL Id: hal-01650012
https://hal.inria.fr/hal-01650012
Submitted on 28 Nov 2017
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entic research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diusion de documents
scientiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Stream Ciphers: A Practical Solution for Ecient
Homomorphic-Ciphertext Compression
Anne Canteaut, Sergiu Carpov, Caroline Fontaine, Tancrède Lepoint, María
Naya-Plasencia, Pascal Paillier, Renaud Sirdey
To cite this version:
Anne Canteaut, Sergiu Carpov, Caroline Fontaine, Tancrède Lepoint, María Naya-Plasencia, et al..
Stream Ciphers: A Practical Solution for Ecient Homomorphic-Ciphertext Compression. Journal of
Cryptology, Springer Verlag, 2018, 31 (3), pp.885-916. �10.1007/s00145-017-9273-9�. �hal-01650012�
Stream Ciphers: A Practical Solution for Efficient
Homomorphic-Ciphertext Compression
Anne Canteaut
1?
, Sergiu Carpov
2??
, Caroline Fontaine
3? ? ?
, Tancr`ede Lepoint
4†
,
Mar´ıa Naya-Plasencia
1?
, Pascal Paillier
5‡
, and Renaud Sirdey
2??
1
Inria, France, {anne.canteaut,maria.naya plasencia}@inria.fr
2
CEA LIST, France, {sergiu.carpov,renaud.sirdey}@cea.fr
3
CNRS/Lab-STICC and IMT Atlantique, France, caroline.fontaine@imt-atlantique.fr
4
SRI International, USA, tancrede.lepoint@sri.com
5
CryptoExperts, France, pascal.paillier@cryptoexperts.com
Abstract. In typical applications of homomorphic encryption, the first step consists for Alice of en-
crypting some plaintext m under Bob’s public key pk and of sending the ciphertext c = HE
pk
(m) to
some third-party evaluator Charlie. This paper specifically considers that first step, i.e. the problem
of transmitting c as efficiently as possible from Alice to Charlie. As others suggested before, a form of
compression is achieved using hybrid encryption. Given a symmetric encryption scheme E, Alice picks
a random key k and sends a much smaller ciphertext c
0
= (HE
pk
(k), E
k
(m)) that Charlie decompresses
homomorphically into the original c using a decryption circuit C
E
−1
.
In this paper, we revisit that paradigm in light of its concrete implementation constraints; in particular
E is chosen to be an additive IV-based stream cipher. We investigate the performances offered in this
context by Trivium, which belongs to the eSTREAM portfolio, and we also propose a variant with
128-bit security: Kreyvium. We show that Trivium, whose security has been firmly established for
over a decade, and the new variant Kreyvium have excellent performance. We also describe a second
construction, based on exponentiation in binary fields, which is impractical but sets the lowest depth
record to 8 for 128-bit security.
Keywords. Stream Ciphers, Homomorphic cryptography, Trivium
1 Introduction
Since the breakthrough result of Gentry [39] achieving fully homomorphic encryption (FHE), many works
have been published on simpler and more efficient schemes implementing homomorphic encryption. Because
they allow arbitrary computations on encrypted data, FHE schemes suddenly opened the way to exciting
new applications, in particular cloud-based services in several areas (see e.g. [62,43,56]).
?
This work has been supported in part by the European Union’s H2020 Programme under project number 645622
PQCRYPTO.
??
This work has been supported in part by the European Institute of Technology under project EIT DIGITAL
HC@WORKS.
? ? ?
This work has received a French governmental support granted to the COMIN Labs excellence laboratory and
managed by the National Research Agency in the “Investing for the Future” program under reference ANR-10-
LABX-07-01.
†
Part of this work has been performed while employed at CryptoExperts, France. This material is based upon work
supported by the Defense Advanced Research Projects Agency (DARPA) and Space and Naval Warfare Systems
Center, Pacific (SSC Pacific) under Contract No. N66001-15-C-4071. Any opinions, findings and conclusions or
recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of
DARPA or SSC Pacific. This research was developed with funding from the Defense Advanced Research Projects
Agency (DARPA). The views, opinions and/or findings expressed are those of the author and should not be
interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.
‡
This work has been supported in part by the European Union’s H2020 Programme under grant agreement number
ICT-644209.
Compressed encryption. In these cloud applications, it is often assumed that some data is sent encrypted
under a homomorphic encryption (HE) scheme
6
to the cloud to be processed in a way or another. It is thus
typical to consider, in the first step of these applications, that a user (Alice) encrypts some data m under
some other user’s public key pk (Bob) and sends some homomorphic ciphertext c = HE
pk
(m) to a third-party
evaluator in the cloud (Charlie). The roles of Alice and Bob are clearly distinct, even though they might be
played by the same entity in some applications.
However, all HE schemes proposed so far suffer from a very large ciphertext expansion; the transmission
of c between Alice and Charlie is therefore a very significant bottleneck in practice. The problem of reducing
the size of c as efficiently as possible has first been considered in [62] wherein m is encrypted with a symmetric
encryption scheme E under some key k randomly chosen by Alice, who then sends a much smaller ciphertext
c
0
= (HE
pk
(k), E
k
(m)) to Charlie. Given c
0
, Charlie then exploits the homomorphic property of HE and
recovers
c = HE
pk
(m) = C
E
−1
(HE
pk
(k), E
k
(m))
by homomorphically evaluating the decryption circuit C
E
−1
. This can be assimilated to a compression method
for homomorphic ciphertexts, c
0
being the result of applying a compressed encryption scheme to the plaintext
m and c being recovered from c
0
using a ciphertext decompression procedure. In that approach obviously, the
new encryption rate |c
0
|/|m| becomes asymptotically close to 1 for long messages, which leaves no significant
margin for improvement. However, the paradigm of ciphertext compression leaves totally open the question
of how to choose E in a way that minimizes the decompression overhead, while preserving the same security
level as originally intended.
Prior art. The cost of a homomorphic evaluation of several symmetric primitives has been investigated,
including optimized implementations of AES [40,19,29], and of the lightweight block ciphers Simon [57]
and Prince [30]. Usually lightweight block ciphers seem natural candidates for efficient evaluations in the
encrypted domain. However, they may also lead to much worse performances than a homomorphic evaluation
of, say, AES. Indeed, contemporary HE schemes use noisy ciphertexts, where a fresh ciphertext includes a
noise component which grows along with homomorphic operations. Usually a homomorphic multiplication
increases the noise by much larger proportions than a homomorphic addition. The maximum allowable level of
noise (determined by the system parameters) then depends mostly on the multiplicative depth of the circuit.
Many lightweight block ciphers balance out their simplicity by a large number of rounds, e.g. KATAN and
KTANTAN [24], with the effect of considerably increasing their multiplicative depth. This type of design
is therefore prohibitive in an HE context. Still Prince appears to be a much more suitable block cipher
for homomorphic evaluation than AES (and than Simon), because it specifically targets applications that
require a low latency; it is designed to minimize the cost of an unrolled implementation [11] rather than to
optimize e.g. silicon area.
At Eurocrypt 2015, Albrecht, Rechberger, Schneider, Tiessen and Zohner observed that the usual criteria
that rule the design of lightweight block ciphers are not appropriate when designing a symmetric encryption
scheme with a low-cost homomorphic evaluation [2]. Indeed, both the number of rounds and the number of
binary multiplications required to evaluate an Sbox have to be taken into account. Minimizing the number of
rounds is a crucial issue for low-latency ciphers like Prince, while minimizing the number of multiplications
is a requirement for efficient masked implementations.
These two criteria have been considered together for the first time by Albrecht et al. in the recent design
of a family of block ciphers called LowMC [2] with very small multiplicative size and depth
7
. However,
the originally proposed instances of LowMC, namely LowMC-80 and LowMC-128, have some security
issues [27], inherent in their low multiplicative complexity. Indeed, the algebraic normal forms (i.e., the
multivariate polynomials) describing the encryption and decryption functions are sparse and have a low
degree. This type of features is usually exploited in algebraic attacks, cube attacks and their variants,
6
This terminology includes both FHE schemes and somewhat-homomorphic encryption.
7
It is worth noting that in an HE context, reducing the multiplicative size of a symmetric primitive might not be the
first concern (while it is critical in a multiparty computation context, which also motivated the work of Albrecht
et al. [2]), whereas minimizing the multiplicative depth is of prime importance.
2
e.g. [22,28,4]. While these attacks are rather general, the improved variant used for breaking the original
LowMC [27], named interpolation attack [50], specifically applies to block ciphers. Indeed it exploits the
sparse algebraic normal form of some intermediate bit within the cipher using that this bit can be evaluated
both from the plaintext in the forward direction and from the ciphertext in the backward direction. This
technique yields several attacks including a key-recovery attack against LowMC-128 with time complexity
2
118
and data complexity 2
73
, leading the designers to propose a tweaked version [66].
Our contributions. We emphasize that beyond the task of designing an HE-friendly block cipher, revisiting
the whole compressed encryption scheme (in particular its internal mode of operation) is what is really needed
in order to take these concrete HE-related implementation constraints into account.
First, we identify that homomorphic decompression is subject to an offline phase and an online phase.
The offline phase is plaintext-independent and therefore can be performed in advance, whereas the online
phase completes decompression upon reception of the plaintext-dependent part of the compressed ciphertext.
Making the online phase as quick as technically doable leads us to choose an additive IV-based stream cipher
to implement E. However, we note that the use of a lightweight block cipher as the building-block of that
stream cipher usually provides a security level limited to 2
n/2
where n is the block size [67], thus limiting the
number of blocks encrypted under the same key to significantly less than 2
32
(i.e. 32GB for 64-bit blocks).
As a result, we propose our own candidate for E: the keystream generator Trivium [26], which belongs to
the eSTREAM portfolio of recommended stream ciphers, and a new proposal called Kreyvium, which shares
the same internal structure but allows for bigger keys of 128 bits. The main advantage of Kreyvium over
Trivium is that it provides 128-bit security (instead of 80-bit) with the same multiplicative depth, and inherits
the same security arguments. It is worth noticing that the design of a variant of Trivium which guarantees
a 128-bit security level has been raised as an open problem for the last ten years [34, p. 30]. Beside a higher
security level, it also accommodates longer IVs, so that it can encrypt up to 46 · 2
128
plaintext bits under the
same key, with multiplicative depth only 12. Moreover, both Trivium and Kreyvium are resistant against the
interpolation attacks used for breaking the original LowMC since these ciphers do not rely on a permutation
which would enable the attacker to compute backwards. We implemented our construction and instantiated
it with Trivium, Kreyvium and LowMC in CTR-mode. Our results show that the promising performances
attained by the HE-dedicated block cipher LowMC can be achieved with well-known primitives whose
security has been firmly established for over a decade.
Our second candidate for E relies on a completely different technique based on the observation that
multiplication in binary fields is F
2
-bilinear, making it possible to homomorphically exponentiate field ele-
ments with a log-log-depth circuit. We show, however, that this second approach remains disappointingly
impractical.
Organization of the paper. We introduce a general model and a generic construction to compress homo-
morphic ciphertexts in Section 2. Our construction using Trivium and Kreyvium is described in Section 3.
Subsequent experimental results are presented in Section 4. Section 5 presents and discusses our second
construction based on discrete logs on binary fields.
2 A Generic Design for Efficient Decompression
In this section, we describe our model and generic construction to transmit compressed homomorphic ci-
phertexts between Alice and Charlie. We use the same notation as in the introduction: Alice wants to send
some plaintext m, encrypted under Bob’s public key pk (of an homomorphic encryption scheme HE) to a
third party evaluator Charlie.
2.1 Homomorphic Encryption
As mentioned in the introduction, in all existing HE schemes a ciphertext c contains a noise r which grows
with homomorphic operations. Given the system parameters, the correctness of the decryption is ensured as
3
long as r does not exceed a given bound. When the function to be homomorphically evaluated is known in ad-
vance, the system parameters can be chosen accordingly so that the noise remains smaller than its maximum
bound (and we obtain a so-called somewhat homomorphic encryption scheme). Otherwise, the only known
method of obtaining fully homomorphic encryption (FHE) where the system parameters do not depend on
the complexity of the evaluated functions is Gentry’s bootstrapping procedure [39]. This procedure consists in
homomorphically evaluating the decryption circuit of the FHE scheme on the ciphertext, and allows to shrink
a noise close to its maximum bound to a state after which subsequent homomorphic operations are possible.
Unfortunately, this procedure remains significantly more costly than usual homomorphic operations [46],
even if recent progresses have significantly reduced its cost [31,64,20]. For example, a recent result by Ducas
and Micciancio improved by several orders of magnitude the latency of the bootstrapping procedure [31].
But, in this new scheme, bootstrapping is required after each (NAND) gate evaluated homomorphically.
The limits of this solution have been recently pushed forward: for instance, [64] provides a way to optimize
the bootstrapping management (for any FHE), and [20] proposes an efficient way to execute bootstrapping
(especially for FHE based on [41]). But, the cost of bootstrapping still remains very high.
Therefore, an efficient implementation will aim at minimizing the number of call thereof, while ensuring
correctness after decryption. Significant improvements over naive evaluations are illustrated e.g. in [58,19].
However, loads of use-cases using homomorphic encryption evaluate functions of a priori bounded complexity.
For example statistical tests, machine learning algorithms [43] or private computation on encrypted genomic
data [56] can be performed using somewhat homomorphic encryption (SWHE) schemes, among which the
most recent, secure and efficient ones are [14,35,53]. The system parameters are, therefore, chosen as small
as possible for efficiency. More generally, within the context of real life applications, SWHE schemes are
believed to already offer a number of compelling advantages.
In the following, we adopt the usual simplified setting as in e.g. [58,2] which fits current most efficient HE
schemes. This approximation is often considered in the literature and remains valid as long as the proportion
of additions does not become overwhelming in the circuit. Clearly, our simplified model would become
invalid outside of this context (see e.g. [2]). We refer to the HE schemes based on lattices [14,13,35,12,35,53]
implemented in numerous works [62,40,43,30,57,56,45,46] and on the integers [21]. Namely, each ciphertext
c
i
is associated with a discretized noise level `
i
= 1, 2, . . . where 1 is the noise level in a fresh ciphertext.
Let c
1
(resp. c
2
) be a ciphertext with noise level `
1
(resp. `
2
). Homomorphic additions c
3
= c
1
+ c
2
(resp.
homomorphic multiplications c
3
= c
1
× c
2
) yield noise level `
3
= max(`
2
, `
1
) (resp. `
3
= max(`
1
, `
2
) + 1).
Note that our definition of noise levels neglects the logarithmic increase of the noise size after a homomorphic
addition. The maximal value of the `
i
’s represents the multiplicative depth of the circuit and is what we
want to minimize to set the parameters as small as possible.
Throughout the rest of the paper, we assume the HE scheme HE
pk
(·) encrypts separately each plaintext bit
(possibly in an SIMD fashion [68]). We say that the latency of a homomorphic evaluation is the time required
to perform the entire homomorphic evaluation, while its throughput is the number of blocks processed per
unit of time [57].
2.2 Offline/Online Phases in Ciphertext Decompression
Most practical scenarios would likely find it important to distinguish between three distinct phases within
the homomorphic evaluation of C
E
−1
:
1. an offline key-setup phase which only depends on Bob’s public key and can be performed once and for
all before Charlie starts receiving compressed ciphertexts encrypted under Bob’s key;
2. an offline decompression phase which can be performed only based on some plaintext-independent ma-
terial found in the compressed ciphertext;
3. an online decompression phase which aggregates the result of the offline phase with the plaintext-
dependent part of the compressed ciphertext and (possibly very quickly) recovers the decompressed
ciphertext c.
4
![Table 3. Number of AND and XOR gates to homomorphically evaluate in Trivium, Kreyvium and LowMC for FV and BGV schemes. For LowMC the number of gates obtained using implementation [2] is shown.](/figures/table-3-number-of-and-and-xor-gates-to-homomorphically-21i5nlre.webp)