Towards a fully homomorphic symmetric cipher scheme resistant to plain-text/cipher-text attacks

Abstract

Users’ privacy becomes nowadays an important need and a big challenge for a lot of enterprises and service providers especially after adopting the cloud migration strategy. Thus, Homomorphic Encryption (HE) came as a novel cryptographic approach that enables users’ privacy at the cloud side by allowing computation over encrypted data. Existing HE schemes are based on either symmetric or asymmetric encryption algorithms. While asymmetric HE schemes provide the high and the required level of security, they suffer from high computational complexity and high storage overhead making a big majority of them not practical for real world applications. On the other hand, symmetric schemes assure the required efficiency, but they are vulnerable to attacks and especially the known plain-text/cipher-text attacks making their usage limited in practical implementation. The main objective of this paper is to design a new symmetric HE variant that provides the desired level of efficiency in implementation and the immunity against data breaches especially the known plain-text/cipher-text attacks. The proposed scheme, named Homomorphic Hybrid Symmetric Encryption Scheme (HHSES), which is based on combining the homomorphic behavior of two well-known symmetric encryption schemes that are the MORE (Matrix Operation for Randomization and Encryption) approach and the Domingo Ferrer (DF) scheme. The performance analysis of HHSES confirms its efficiency for real-world applications in comparison with a big variety of existing and well known symmetric and asymmetric schemes. A main drawback of HHSES is the cipher-text dimension expansion after the homomorphic multiplication since homomorphic operations are restricted to polynomial operations over the matrices. Therefore, to fix this issue, we propose a specific Key Switching (KS) technique after the homomorphic multiplication that reduces the cipher-texts’ dimension without altering its homomorphic behavior and the primitive classified data. Security analysis of the new scheme also verifies its immunity against different types of attacks and especially the known plain-text/cipher-text attacks. Another important contribution in this work is the optimization of the HHSES encryption and decryption procedures by making them parallelized using the Chinese Remainder Theorem (CRT). The implementation results have shown that the proposed optimization technique reduces the execution time of the HHSE encryption and decryption algorithms with a ratio close to \(\frac {1}{2}\). To the best of our knowledge, HHSES is the first symmetric HE scheme immune against the known/chosen plain-text/cipher-text attacks.

1 Introduction

Cloud computing ensures different services through the Internet. These resources include tools and applications like data storage, servers, databases, networking, and software. This technology presents a big variety of benefits for users such as scalabilty, cost reduction, disaster recovery, virtualization, and opportunities for outsourcing of storage and computation. Despite all of the advantages listed previously, users’ privacy in a cloud system is a major concern since in some critical cases, performing operations on encrypted data is mandatory. Users are then obliged to expose some of their secret parameters and decryption policies to the cloud. Thus, computing over the encrypted data becomes a need especially when users’ life has become trapped within the cloud. While cryptography [15] and steganography [23,24,25] are two important techniques used for preserving secret data confidentiality and for communicating via secret messages, traditional algorithms related to these two techniques are still limited in a cloud computing scenario.

HE is a modern cryptographic research topic, different from traditional cryptographic algorithms, that allows non-trusted parties to compute over encrypted data. This new type of encryption is crucial in the modern world [37] especially with cloud-based applications. An attractive field of exploring and benefiting from HE advantages is bio-metric data analysis such as DNA analysis [17], Palmprint [14], fingerprint [18] and eye-print [33] authentication. An illustration of HE implementation in such applications is shown in Fig. 1. In the presented figure, data is encrypted and stored in the cloud using HE algorithms, and different parties can send encrypted requests to the cloud. The latter performs operations over encrypted data and ships back encrypted answers to the trusted parties for decryption. Adopting a secure and efficient HE algorithm as a practical solution for bio-metric data privacy and operations forms an important variant in comparison with some existing techniques such as PalmHash Code and PalmPhasor Code [22] and Dual-key-binding cancelable palmprint cryptosystem [21]. Especially that some of the latter solutions such as PalmHash Code suffer from vulnerability to statistical attacks [20].

Fig. 1

Possible HE implementation in real world applications

HE was first known as Privacy Homomorphism (PH) and was introduced in 1978 by Rivest, Shamir and Adleman with the RSA scheme [30]. At that time, RSA allowed only multiplication over encrypted data. Nowadays, existing HE schemes allow different types of computations over encrypted data. While a wide range of the state of art (including symmetric and asymmetric homomorphic variants) is given in [1, 11], a brief description of some well known schemes is shown in Table 1.

Table 1 Description of existing HE schemes

The stepping stone in designing an asymmetric HE scheme was achieved by the IBM researcher Craig Gentry [8] in 2009. Gentry used ideal lattices to design the first Fully Homomorphic Encryption (FHE) scheme that allows non-bounded circuit evaluation. Afterwards, several encryption schemes based on asymmetric algorithms were proposed such as the DGHV (Dijk, Gentry, Halevi and Vaikuntanathan) scheme [38] and the BGV scheme [3]. DGHV is a FHE asymmetric scheme that works over the integers. DGHV supports a limited number of homomorphic operations due to the increase in noise after computing the cipher-text. Bootstrapping is a refresh mechanism introduced in the literature that decreases the noise level after each homomorphic operation while preserving the primitive plain-text. With bootstrapping, DGHV can evaluate circuits with non-bounded depth. BGV is another asymmetric FHE scheme that works over the lattices. BGV also suffers from high noise levels after performing homomorphic operations. Modulus Switching (MS) is a new technique introduced in the literature that extends the circuit evaluation depth by reducing the noise level after homomorphic operations and preserving the original plain-text. Despite of the high level of security presented by the DGHV and the BGV schemes, they suffer from high computation complexity and communication overhead. For example as given in [6], the size of the DGHV public key can attain 2.3 GB and with an optimized implementation on a high end workstation, key generation takes 2.2 hours, one bit encryption takes 3 minutes, and cipher-text refresh mechanism takes 30 minutes. Similarly, BGV is also based on complex lattice calculations.

In this paper, we will show that the proposed solution presents a new approach of symmetric HE algorithm that can require less performance overhead, and is more robustness compared to symmetric FHE schemes since it is based on different cryptographic concepts. Therefore, the proposed solution can be considered as a good candidate for limited real-time applications or limited devices. In general different asymmetric HE schemes provide a high level of security, meanwhile their performance is still far from being practical despite of all the accelerated implementations present in the literature such as [10, 39].

Other researchers took a different direction by investigating the design of symmetric encryption schemes using linear algebraic operations. In 2002, Joseph Domingo Ferrer published a symmetric polynomial based HE scheme known as Domingo Ferrer scheme (DF) [7]. In 2003, David Wagner analyzed the vulnerabilities of DF and drove a known plain-text/cipher-attack using polynomial resultant and Gaussian elimination [35]. Matrix Operation for Randomization and Encryption (MORE) is another symmetric HE scheme [19, 36] based on linear matrix operations. While the security of the MORE approach is based on the hardness of Rabin’s crypto-system and the factorization of the product of two large primes, a known plain-text/cipher-text attack can be executed by calculating the eigen-vectors. The PORE (Polynomial Operation for Randomization and Encryption) approach [19] is also a symmetric HE scheme based on polynomial operation over the cipher-texts. The latter scheme is sensitive to known plain-text/cipher-text attack where secret key can be revealed while knowing only one couple of plain-text and its correspondent cipher-text. Not Operation for Homomorphic Encryption (NOHE) [13], is another symmetric HE scheme based on the homomorphic behavior of the logic NOT gate. As stated in [13], a known plain-text/cipher-text attack can be performed on the NOHE scheme due to the lack of the avalanche effect.

As far as we know, we have built the first symmetric encryption scheme that can resist several types of attacks including the known plain-text/cipher-text attacks. The proposed scheme is realized by mixing the homomorphic behavior of both, the MORE and the DF approaches. The resultant scheme is referred to as the Homomorphic Hybrid Symmetric Encryption Scheme (HHSES). Crypt-analysis has shown that HHSES is resistant to different types of attacks including the known plain-text/cipher-text attacks. Besides, high level of efficiency is validated by implementation.

The rest of this paper is organized as follows: Section 2 introduces the HE concept and homomorphic properties and presents the state of art and some of the very well-known HE schemes for both symmetric (MORE, PORE and DF) and asymmetric (BGV) approaches. Section 3 introduces the proposed scheme (HHSES) that combines the homomorphic behavior of MORE and DF approaches. Security analysis of the HHSES is given in Section 4, where different security tests validate the scheme’s immunity against different types of attacks such as statistical attacks, and related key attacks. Security tests also verify the fulfilment of both uniformity and independence properties and the avalanche effect. Finally a theoretical crypt-analysis shows that the HHSES is immune against known plain-text/cipher-text attacks even with the lowest encryption parameters. Implementations under Python using SageMath library, and performance analysis of the new scheme are provided in Section 5 along with a comparison with symmetric (MORE, PORE and DF) and asymmetric (BGV) schemes. The correctness of the CRT optimization for both encryption and decryption procedures is validated by implementation in Section 6. Conclusion and future work are listed in Section 7.

2 State of art and existing schemes

In this section first HE concept is presented, then some of the well known symmetric (MORE, PORE and DF) and asymmetric (BGV) HE schemes are described.

2.1 Homomorphic Encryption Concept

An encryption scheme (β) having an encryption function (Enc) under a secret key (K) is said to be homomorphic, if for any circuit C that runs a function f, the evaluation procedure satisfies the following relation [9]:

$$ Enc_{K}(f(X))=f(Enc_{K}(X)) $$

(1)

Where X = [x₁,x₂,⋯ ,x_l] is a tuple of l input plain-texts. C is an electrical circuit written as a Boolean function. Boolean functions have a polynomial form that consists of a set of addition and multiplication gates as presented in Fig. 2.

Fig. 2

Designing HE cipher scheme from electrical circuit to achieve homomorphic arithmetic operations: addition and multiplication

Thus, building a HE scheme that evaluates a set of cipher-texts over any given electrical circuit is accomplished by applying these two basic properties defined by:

1. 1.

   Addition:

   $$ Enc_{K}(x_{1}+x_{2} \quad mod(M))=Enc_{K}(x_{1})+Enc_{K}(x_{2}) \quad mod(N) $$

   (2)
2. 2.

   Multiplication:

   $$ Enc_{K}(x_{1} \times x_{2} \quad mod(M))=Enc_{K}(x_{1}) \times Enc_{K}(x_{2}) \quad mod(N) $$

   (3)

Where x₁ and x₂ are two inputs plain-texts, \(\mathbb {Z}_{\mathbb {N}}\) represents the plain-texts ring and \(\mathbb {Z}_{\mathbb {M}}\) represents the cipher-texts ring.

2.2 Symmetric HE schemes

In this part, different cryptographic functions of some well known symmetric HE schemes (MORE, PORE and DF) are explained in detailed. In addition, crypt-analysis and some problems related to their implementations are listed.

2.2.1 MORE approach

The MORE Approach is a symmetric encryption scheme that is based on matrix operations. It was published in 2012 by the authors of [36]. The security of the scheme resides in the hardness of factoring the product of large prime integers (i.e similar to RSA). A known plain-text/cipher-text attack is possible over the MORE due to its matrix structure and it is achieved by calculating the cipher matrix eigen-values. An explanation of this scheme is given below:

1. 1.

   Design Idea: the basic idea starts with Rabin’s encryption algorithm [5] introduced by the following equation:

   $$ E(x)=x^{2}(mod(N)) $$

   (4)

   Where x is a plain-text and N = p × q (p and q are two large prime integers). The security of Rabin’s crypto-system is based on the hardness of factoring large prime integers (N = p × q). Rabin’s crypto-system decryption procedure is then achieved using the Chinese Remainder Theorem (CRT) and the two prime factors of N (p and q).

2. 2.

   Basic Matrix Encryption: given that Rabin’s crypto-system allows only multiplication over encrypted data, a simple matrix based HE scheme is built as follows:

   $$ E(x,K)=K^{-1}\begin{bmatrix} x&0 \\ 0&r\end{bmatrix} K \quad mod(N) $$

   (5)

   where K is an invertible matrix in the ring \(\mathbb {Z}_{N}\) and r is a random variable chosen also from the ring \(\mathbb {Z}_{N}\).

3. 3.

   Homomorphic Properties: given two plain-texts (x₁, x₂) and a secret (2 × 2) invertible matrix K from the ring \(\mathbb {Z}_{N}\), homomorphic properties are verified as listed below:

   1. (a)

      Addition: \( (E(x_{1},K)+E(x_{2},K)) \quad mod(N)=(K^{-1} \begin {bmatrix} x_{1} &0 \\0 & r_{1} \end {bmatrix}K+ K^{-1} \begin {bmatrix} x_{2} & 0 \\ 0 & r_{2} \end {bmatrix} K)\quad mod(N)= \\(K^{-1}\begin {bmatrix} x_1+x_2 & 0\\ 0 & r_1+r_2\end {bmatrix} {K}) \quad mod(N)=Enc(x_1+x_2,K) \quad mod(N)\)

   2. (b)

      Multiplication: \( (E(x_1,K)\times E(x_2,K))\quad mod(N)= (K^{-1} \begin {bmatrix} x_1 &0 \\0 & r_{1} \end {bmatrix}K \times K^{-1} \begin {bmatrix} x_2 & 0 \\ 0 & r_{2} \end {bmatrix} K)\quad mod(N)=\\ (K^{-1}\begin {bmatrix} x_1 \times x_2 & 0\\ 0 & r_1 \times r_2\end {bmatrix} {K})\quad mod(N)=Enc(x_1\times x_2,K) \quad mod(N)\) Where r₁ and r₂ are two random variables chosen from the public ring \(\mathbb {Z}_{N}\).

4. 4.

   Security of the Basic Matrix Scheme:

   1. (a)

      Characteristic Equation: a possible attack on this scheme is achieved by calculating the eigen-values of the cipher matrix E(x,k) given by (5); eigen-values represent the plain-texts. A practical solution for the attacker is deriving the characteristic equation given by:

      $$ \begin{array}{@{}rcl@{}} P(z)= det(z-E(x,K)) \quad mod(N)=z^{2}-(x+r)z+xr=0 \quad mod(N) \end{array} $$

      (6)

      Where z is the polynomial variable, x and r are the same cryptographic parameters given in (5). It is infeasible for the attacker to solve the characteristic equation given in (6) due to Rabin’s crypto-system (i.e the hardness of revealing two large prime integers p and q (N = p × q)).

   2. (b)

      Known Plain-text/Cipher-text Attack: knowing one couple of plain-text/cipher-text (a,E(a,K)), an attacker can drive a known plain-text/cipher-text attack over this basic matrix scheme. The related attack is achieved by calculating the eigen-vectors of the cipher matrix E(a,k). Let \(\vec {v}\) be an eigen-vector, \(\vec {v}\) can be retrieved by applying the following equation:

      $$ f(\vec {v})=E(a,K) \times \vec{v}=a \times \vec{v} $$

      (7)

      Remark In the rest of this article, diag(x₁,x₂,....x_l) represents a diagonal square matrix of dimension l × l defined by:

      $$ \begin{array}{@{}rcl@{}} diag(x_{1},x_{2},....x_{l})=\begin{bmatrix} x_{1},&0,&0,&0,&0,&\cdots&0\\ 0,&x_{2},&0,&0,&0,&\cdots&0\\ 0,&0,&x_{3},&0,&0,&\cdots&0\\ {\vdots} & \vdots&\vdots& \vdots& {\vdots} & {\ddots} & {\vdots} \\ 0,&0,&0,&0,&0,&\cdots&x_{l} \end{bmatrix} \end{array} $$
   3. (c)

      MORE Approach [19, 36]: the formal MORE Approach is presented in this part. First, an invertible (4 × 4) matrix K is picked as a secret key of the encryption scheme. Starting from a plain-text \(x \in \mathbb {Z}_{N}\), a diagonal matrix diag(x,a,b,c) is constructed. Different parameters a, b and c listed in the previous diagonal matrix are the solutions to a set of linear congruences depending on the plain-text x and a random value \(r \in \mathbb {Z}_{N}\) (i.e. a, b and c are calculated using the CRT). The corresponding cipher-text C is the similarity transformation of the matrix K by diag(x,a,b,c): C = K^− 1 diag(x,a,b,c) K. Given \(\{f_{i} \}\text {} ^{m}_{i=1}\), where f_i = p_iq_i such that p_i and q_i are two large prime integers and \(N={\prod }^{m}_{i=1} f_i \) such that m = O(poly(λ)), where λ is the security parameter.

      The encryption algorithm is then represented by the following steps:

      Remark Dimension is equal to 4 in the MORE Approach for simplicity, however, the scheme is applicable for any matrix dimension.

   4. (d)

      MORE Crypt-analysis: as it was proven in [36], the MORE Approach is sensitive to chosen plain-text/cipher-text attack. The crypt-analysis of this scheme is given by the two following lemmas and theorem:

      

   Lemma 1

   Let \(m^{\prime }\) be the number of plain-text/cipher-text pairs the adversary has access to. If for some \(m^{\prime }\), there exists an algorithm \(A_{d} (C=E(x, k), \{x_l,C_l=E(x_l,K)\}\text {} ^{m^{\prime }}_{l=1})\) such that given \(m^{\prime }\) chosen plain-text and cipher-text pairs (x_l,C_l) and a cipher-text C, returns x with probability p, then there exists a PPT algorithm A_f using A_d as an oracle to factor f_i for some i with probability:

   $$ \begin{array}{@{}rcl@{}} \displaystyle{p^{\prime}=p(1-\displaystyle{\frac{1}{p_{i}}})(1-{(1-\displaystyle{\frac{1}{m+1}}{(1-\displaystyle{\frac{1}{m+1}})}^{m^{\prime}})}^{m})} \end{array} $$

   (8)

   Lemma 2

   Assuming that the probability to factor a λ bit integer in polynomial time is negligible, the encryption scheme is secure for \(m^{\prime } \leq m\).

   Theorem 1

   The bound \(m^{\prime }\) of Lemma 1 can be weakened to \(m^{\prime } \leq m\) lnpoly(λ), where poly(λ) denotes some fixed polynomial in λ.

2.2.2 PORE approach

The PORE Approach [19] stands for Polynomial Operation for Randomization and Encryption. This encryption scheme assures homomorphic operations over cipher-texts while using polynomial calculations. The PORE Approach is vulnerable to the known plain-text/cipher-text attacks due to its linear structure as will be discussed in the upcoming PORE crypt-analysis part. A detailed explanation of this scheme is given as follows:

1. 1.

   Cryptographic Parameters:

   1. (a)

      Security Parameter λ: based on the chosen security level of the scheme.

   2. (b)

      Public Modulus N: given \(\{f_{i} \}\text {} ^{m}_{i=1}\), where f_i = p_iq_i such that p_i and q_i are two large prime integers, the public modulus \(N={\prod }^{m}_{i=1} f_i \) such that m = O(poly(λ)).

   3. (c)

      Secret Key (v₁,v₂): 2 secret big integers chosen randomly from the public ring \(\mathbb {Z}_{N}\).

   4. (d)

      Public Polynomial: a public polynomial PP(v) of variable v is computed as follows: PP(v) = (v − v₁)(v − v₂) = v² − (v₁ + v₂)v + v₁v₂ = v² + bv + c, where b = −(v₁ + v₂) mod(N) and c = v₁v₂ mod(N). The two public parameters are shared with the third party to perform computation over encrypted data.

      Remark 1

      While knowing the two public parameters b = −(v₁ + v₂) mod(N) and c = (v₁v₂) mod(N) by the third non-trusted party, revealing secret values v₁, v₂ is done by finding the root of the public polynomial PP(v) = v² + bv + c which is a hard problem based on the Rabin’s cypto-system (i.e the hardness of factoring \(N={\prod }^{m}_{i=1} f_i\) where f_i = p_iq_i) as discussed in Section 2.2.1.

2. 2.

   Encryption Procedure: starting from a plain-text \(x \in \mathbb {Z}_{\mathbb {N}}\) and secret key \((v_1,v_2) \in \mathbb {Z}^{2}_{N}\), its corresponding cipher-text C = (c₁,c₂) mod(N) is calculated based on the following algorithm:

3. 3.

   Decryption Procedure: having a cipher-text C = (c₁,c₂) and the secret key v = (v₁,v₂), the plain-text x is retrieved by applying the following equation:

   $$ x=c_{1}v_{1}+c_{2} \quad mod(N) $$

   (9)
4. 4.

   Homomorphic Properties: having two plain-texts x₁ and x₂ with their respective cipher-texts \(C_1=({c^{1}_{1}},{c^{1}_{2}})\) and \(C_2=({c^{2}_{1}},{c^{2}_{2}})\), homomorphic addition and multiplication over cipher-texts are achieved based on the following properties:

   1. (a)

      Homomorphic Addition: the resultant cipher-text after homomorphic multiplication is C^{(1 + 2)} defined by \(C^{(1+2)}=(c^{(1+2)}_{1},c^{(1+2)}_{2})=({c^{1}_{1}}+{c^{2}_{1}},{c^{1}_{2}}+{c^{2}_{2}})\) because \(x_1+x_2={c^{1}_{1}}v_1+{c^{1}_{2}}+{c^{2}_{1}}v_1+{c^{2}_{2}}=({c^{1}_{1}}+{c^{2}_{1}})v_1+({c^{1}_{2}}+{c^{2}_{2}}).\)

   2. (b)

      Homomorphic Multiplication: the resultant cipher-text after homomorphic multiplication is defined by \(C^{(1 \times 2)}=(c^{(1 \times 2)}_{1},c^{(1 \times 2)}_{2})=(({c^{1}_{1}}+{c^{1}_{2}})({c^{2}_{1}}+{c^{2}_{2}})-{c^{1}_{1}}{c^{2}_{1}}(1+b)-{c^{1}_{2}}{c^{2}_{2}}, \quad {c^{1}_{2}}{c^{2}_{2}}-{c^{1}_{1}}{c^{1}_{2}}c)\), where b and c are the two public parameters given previously and shared with the third non-trusted party. Homomorphic multiplication is verified by applying the decryption equation given in (9) over C^(1×2):

      $$ \begin{array}{@{}rcl@{}} c^{(1 \times 2)}_{1}v_{1}+c^{(1 \times2)}_{2}&=&(({c^{1}_{1}} + {c^{1}_{2}})({c^{2}_{1}}+{c^{2}_{2}})-{c^{1}_{1}}{c^{2}_{1}}(1 + b) - {c^{1}_{2}}{c^{2}_{2}})v_{1}+{c^{1}_{2}}{c^{2}_{2}}-{c^{1}_{1}}{c^{1}_{2}}c\\ &=&({c^{1}_{1}}{c^{2}_{1}}){v^{2}_{1}}+({c^{1}_{1}}{c^{2}_{2}}+{c^{1}_{2}}{c^{2}_{1}})v_{1}+{c^{1}_{2}}+{c^{2}_{2}}\\ &=&({c^{1}_{1}}v_{1}+{c^{1}_{2}})({c^{2}_{1}}v_{1}+{c^{2}_{2}})\\&=&(x_{1} \times x_{2}) \quad mod(N) \end{array} $$
5. 5.

   PORE Crypt-analysis: due to its linear structure (linear systems), the PORE Approach is vulnerable to known plain-text/cipher-text attack where revealing secret key (v₁,v₂) is possible while knowing only one couple of plain-text/cipher-text. Starting from one couple of known plain-text/cipher-text (x,C = (c₁,c₂)), the attacker can reveal the secret key while applying the following algoithm:

2.2.3 Domingo rerrer (DF) scheme

DF scheme is a symmetric encryption scheme published in 2002 by Joseph Domingo Ferrer in [7]. The scheme is polynomial based, each cipher-text is seen as a uni-variate polynomial. Homomorphic properties are then defined as polynomial operations over the cipher-texts. DF scheme suffers form two main problems that are cipher-texts expansion after homomorphic multiplication and sensitivity to the known plain-text/cipher-text attack. An explanation of this scheme is given below:

1. 1.

   Security Parameters: different security parameters of DF scheme [7] are given by the following:

   1. (a)

      λ: Security Parameter based on the chosen level of security.

   2. (b)

      m: Pubic Modulus m > 10²⁰⁰ should have many small divisors.

   3. (c)

      d: Public Integer d > 2 represents the cipher-text dimension.

   4. (d)

      \(m^{\prime }\): Secret Modulus, a small divisor of the public modulus such that \(m=(m^{\prime })^{\lambda }\).

   5. (e)

      r: Secret Key \(r \in \mathbb {Z}_{m}\) should be invertible in the public ring \(\mathbb {Z}_{m}.\)

2. 2.

   Encryption Procedure: Starting from a plain-text \(a \in \mathbb {Z}_{m^{\prime }}\), the encryption procedure is given by the two following steps:

   1. (a)

      Decompose Function: the plain-text a is randomly decomposed into d elements \((a^{(1)}, a^{(2)}, a^{(3)},\cdots , a^{(d)}) \in [\mathbb {Z}_{m}]^{d}\) such that \({{\sum }_{i=1}^{d}}a^{(i)} \quad mod(m^{\prime })=a^{(1)}+a^{(2)}+\cdots +a^{(d)} \quad mod(m^{\prime })=a\)

   2. (b)

      Encryption Procedure: an invertible secret key r is randomly picked from the public ring \(\mathbb {Z}_{m}\), the cipher-text π of the plain-text a is then given by: π = [a⁽¹⁾r,a⁽²⁾r²,a⁽³⁾r³,⋯ ,a^(d)r^d]. Cipher-text can be represented as a uni-variate polynomial π(t) of variable t: π(t) = (a⁽¹⁾r)t + (a⁽²⁾r²)t² + (a⁽³⁾r³)t³ + ⋯ + (a^(d)r^d)t^d (mod(m)).

3. 3.

   Decryption Procedure: the decryption is simply done by multiplying the i^th coordinate π(i) of the cipher-text π by the r⁻ⁱ mod(m) to retrieve a⁽ⁱ⁾ mod(m), then performing \({{\sum }_{i=1}^{d}}a^{(i)} \quad mod(m^{\prime })\) to retrieve a.

4. 4.

   Homomorphic Properties: the two homomorphic properties of DF (addition and multiplication) are investigated in this part. Let (C₁, C₂) respectively two cipher-texts generated from two different plain-texts (a₁, a₂) taken from the private ring \(\mathbb {Z}_{m^{\prime }}\) while using the security parameters and the DF encryption procedure given previously.

   $$ \begin{array}{@{}rcl@{}} C_{1}=[a^{(1)}_{1}r, a^{(2)}_{1}r^{2}, a^{(3)}_{1}r^{3},\cdots,a^{(d)}_{1}{r^{d}}] \end{array} $$
   $$ \begin{array}{@{}rcl@{}} C_{2}=[a^{(1)}_{2}r, a^{(2)}_{2}r^{2}, a^{(3)}_{2}r^{3},\cdots,a^{(d)}_{2}{r^{d}}] \end{array} $$

   C₁ and C₂ are then represented in their uni-variate polynomial form with variable t as follows:

   $$ \begin{array}{@{}rcl@{}} C_{1} \rightarrow \pi_{1}(t)=(a^{(1)}_{1}r)t+(a^{(2)}_{1}r^{2})t^{2}+(a^{(3)}_{1}r^{3})t^{3}+\cdots+(a^{(d)}_{1}r^{d})t^{d} mod(m). \end{array} $$
   $$ \begin{array}{@{}rcl@{}} C_{2} \rightarrow\pi_{2}(t)=(a^{(1)}_{2}r)t+(a^{(2)}_{2}r^{2})t^{2}+(a^{(3)}_{2}r^{3})t^{3}+\cdots+(a^{(d)}_{2}r^{d})t^{d} mod(m) \end{array} $$

   Given that, homomorphic operations of DF encryption scheme are restricted to polynomial calculations over encrypted data, homomorphic addition and multiplication are achieved as given below:

   1. (a)

      Addition: the two polynomials π₁(t) and π₂(t) are added in the public ring \(\mathbb {Z}_{m}[T]\) as follows:

      $$ \begin{array}{@{}rcl@{}} \pi_{1}(t)+\pi_{2}(t)=((a^{(1)}_{1}+a^{(1)}_{2})r)t+((a^{(2)}_{1}+a^{(2)}_{2})r^{2})t^{2}+\\((a^{(3)}_{1}+a^{(3)}_{2})r^{3})t^{3}+......((a^{(d)}_{1}+a^{(d)}_{2})r^{d})t^{d} mod(m) \end{array} $$

      (10)

      The resultant cipher-text after homomorphic addition is:

      $$ \begin{array}{@{}rcl@{}} C_{1+2} = [(a^{(1)}_{1} + a^{(1)}_{2})r,(a^{(2)}_{1} + a^{(2)}_{2})r^{2},(a^{(3)}_{1} + a^{(3)}_{2})r^{3},\ldots,(a^{(d)}_{1} + a^{(d)}_{2})r^{d}]. \end{array} $$

      (11)

      C_{1 + 2} is decrypted using the vector:

      $$ \begin{array}{@{}rcl@{}} [r^{1},r^{-2},r^{-3},\cdots,r^{-d}] \in [\mathbb{Z}_{m}]^{d} \end{array} $$

      (12)

      Thus, \(Dec_{(r,m^{\prime })}(C_{1+2})=(a_{1}+a_{2})\) is validated. Thus, the scheme is additive homomorphic.

   2. (b)

      Multiplication: the two polynomials π₁(t) and π₂(t) are multiplied in the public ring \(\mathbb {Z}_{m}[T]\) as follows:

      $$ \begin{array}{@{}rcl@{}} \pi_{1}(t) \times \pi_{2}(t)&=&((a^{(1)}_{1}a^{(1)}_{2})r^{2})t^{2}+((a^{(1)}_{1}a^{(2)}_{2}+a^{(1)}_{2}a^{(2)}_{1})r^{3})t^{3}+((a^{(1)}_{1}a^{(3)}_{2}\\ &&+a^{(3)}_{1}a^{(1)}_{2}+a^{(2)}_{1}a^{(2)}_{2})r^{4})t^{4}+\ldots+((a^{(d)}_{1}a^{(d)}_{2})r^{2d})t^{2d} \end{array} $$

      The resultant cipher-text after homomorphic multiplication is:

      $$ \begin{array}{@{}rcl@{}} C_{1 \times 2}&=&[(a^{(1)}_{1}a^{(1)}_{2})r^{2},(a^{(1)}_{1}a^{(2)}_{2}+a^{(1)}_{2}a^{(2)}_{1})r^{3}, (a^{(1)}_{1}a^{(3)}_{2}+a^{(3)}_{1}a^{(1)}_{2}\\ &&+a^{(2)}_{1}a^{(2)}_{2})r^{4},....,(a^{(d)}_{1}a^{(d)}_{2})r^{2d}] \end{array} $$

      (13)

      The decryption of C_1×2 is done using the vector \([r^{2},r^{3},r^{4},\cdots ,r^{2d}] \in \mathbb {Z}^{2d-1}\) and \(Dec_{(r,m^{\prime })}=(a_1 \times a_2)\) is validated. Thus, the scheme is multiplicative homomorphic.

5. 5.

   DF cipher-text expansion: as mentioned previously, homomorphic multiplication in DF scheme is a polynomial multiplication over the cipher-texts. The cipher-text dimension will grow exponentially with homomorphic multiplication. One disadvantage of the DF scheme is that after evaluating a multiplicative circuit of high depth, the scheme loses its efficiency due to the resultant communication overhead (i.e. after performing k multiplication operations over 2^k cipher-texts of dimension d, the cipher-text dimension becomes 2^k(d − 1) + 1).

6. 6.

   DF Crypt-analysis: DF crypt-analysis has shown that the scheme is sensitive to known plain-text attack due to its algebraic structure. Using uni-variate polynomial resultant and Gaussian elimination, David Wagner has shown in [35] that starting with 4 × poly(λ) (λ is the security parameter) couples of plain-text/cipher-text \((a_{i}/C_{i}=[a^{(1)}_{i}r, a^{(2)}_{i}r^{2},\cdots ,a^{(d)}_{i}r^{d}])\), revealing secret parameters \((r,m^{\prime })\) is possible with a probability close to \((\displaystyle 1-(1-\frac {6}{\pi ^{2}})^{poly(\lambda )})\).

2.3 BGV asymmetric scheme

BGV is a lattice based asymmetric encryption scheme published by the authors of [3]. The scheme suffers from two main problems that are cipher-text expansion after homomorphic multiplication and noise increase after circuit evaluation. The first problem is resolved using the Key Switching (KS) technique and the second one is resolved using the Modulus Switching (MS) technique. The security of the scheme is based on the hardness of Learning With Errors (LWE) and, as far as we know, no attack is introduced againt the concerned scheme. A detailed explanation of the BGV scheme is given below:

1. 1.

   Basic Scheme: the basic BGV [3, 4] scheme can be modeled as a symmetric encryption scheme, that operates over the bit level. Secret key and cipher-text are given respectively by \(s \in \mathbb {Z}^{[m,1]}_{q}\) and \(c \in \mathbb {Z}^{[m,1]}_{q}\), where m is the lattice dimension. Decryption is given by the two following vector and matrix forms, where decryption works as long as the noise ((s.c)mod(q) << αq:

   $$ \begin{array}{ll} Vector \quad Form: (\langle s,c \rangle mod(q)) mod(2)\\ Matrix \quad Form: ((s.c)mod(q))mod(2) \end{array} $$

   (14)
2. 2.

   Building the Homomorphic Scheme

   1. (a)

      Addition: the scheme is an instance of Error Correcting Code (ERC), addition is valid as long as the noise is small enough.

   2. (b)

      Multiplication: building homomorphic multiplication is done using tensor product as given in the following equation:

      $$ M=u \otimes v = \{M_{ij}=(u_{i}v_{j}) \} $$

      (15)

   It is easy to demonstrate that:

   $$ s(u \otimes v) s^{t}= \langle s,u \rangle \langle s, v \rangle=(s.u)(s.v) $$

   (16)

   If the noise level is low enough after multiplicative operation, decryption can be written as:

   $$ (s(u \otimes v)s^{t} mod(q))mod(2)=((\langle s , u \rangle \langle s , v \rangle) mod(q)) mod(2) $$

   (17)

   It is more preferable to deal with vectors rather than matrices and the following linearization is proposed:

   Given that:

   $$ \begin{array}{@{}rcl@{}} c=u \otimes v= \begin{bmatrix} u_{1}v_{1}& u_{1}v_{2}&\cdots& u_{1}v_{m}\\ u_{2}v_{1}& u_{2}v_{2}&\cdots&u_{2}v_{m}\\ {\vdots} & {\vdots} & {\ddots} & {\vdots} \\ u_{m}v_{1}& u_{m}v_{2}&\cdots&u_{m}v_{m}\end{bmatrix} \end{array} $$

   An extended linear version of c is represented by c^∗ = vect(u ⊗ v) = [u₁v₁,u₁v₂,........,u_mv_m]

   $$ \begin{array}{@{}rcl@{}} s \otimes s=\begin{bmatrix}s_{1}s_{1}&s_{1}s_{2}&\cdots&.s_{1}s_{m}\\ s_{2}s_{1}&s_{2}s_{2}&......&s_{2}s_{m}\\ {\vdots} & {\vdots} & {\ddots} & {\vdots} \\ s_{m}s_{1}&s_{m}s_{2}&\cdots&s_{m}s_{m}\end{bmatrix} \end{array} $$

   and

   $$ \begin{array}{@{}rcl@{}} s^{*}=vect(s \otimes s)=[s_{1}s_{1},s_{1}s_{2},\cdots,s_{m}s_{m}] \end{array} $$

   It is simple to demonstrate that 〈c^∗,s^∗〉 = 〈s,u〉〈s,v〉 = sMs^t and the decryption equation can then be written by the following:

   $$ Dec(c^{*})=(\langle c^{*},s^{*} \rangle mod(q)) mod(2) $$

   (18)

   (18) works as long as the noise (〈c^∗,s^∗〉mod(q)) is quite small.

3. 3.

   Dimension Growth: due to the tensor product used with homomorphic multiplication, the cipher-text dimension will grow exponentially. Starting from 2^k cipher-texts of dimension m each and after doing k multiplication operations, the resultant cipher-text dimension becomes \(m^{2^{k}}\). To resolve the cipher-text dimension expansion present in BGV scheme, Key Switching (KS) is introduced. The main concept of KS is that after having an extended cipher-text c^∗ (of dimension n > m) with respect to an extended secret key s^∗ = vect(s ⊗ s) (of dimension n > m), a new lower dimension cipher-text \(c^{\prime }\) with respect to a lower dimension secret key \(s^{\prime }\) is built such that:

   $$ Dec_{s^{\prime}}(c^{\prime})=Dec_{s^{*}}(c^{*}) $$

   (19)

   To achieve KS, an encryption matrix \(M \in \mathbb {Z}^{[m,n]}_{q}\) is published and defined by:

   $$ M(s^{*} \rightarrow s), \quad c^{\prime} =Mc^{*} \quad ([m.1]=[m,n][n,1]) \quad m<n $$

   (20)

   Remark 2

   The detailed explanation, implementation and performance analysis regarding KS are given in [3, 11].

4. 4.

   Level Somewhat Homomorphic Scheme

   1. (a)

      Basic BGV SHE Scheme: Level SHE scheme symbolizes a level by level path. For a circuit of depth d, d random secret keys are generated as \(\displaystyle {s_{i}=[1|t_{i}]} \in \mathbb {Z}^{m}_{q}\) where 0 ≤ i ≤ d − 1. For each level i of the circuit, a public matrix \(M_{i} \in \mathbb {Z}^{[m,n]}_{q}\) is published. For level 0, \(M_{0}=M(0 \rightarrow s_{0})\) is generated and for any level i \(M_{i}=M(s^{**}_{i} \rightarrow s_{i})\) is generated.

      1. i

         Parameters Generation: starting from security parameter λ, the lattice dimension is given by m ≈ poly(λ) and the public ring dimension is given by q ≈ poly(m).

      2. ii

         Public Matrices Generation:

         $$ \begin{array}{ll} s_{0}M_{0}=2e_{0}\\ s_{i}M_{i}=2e_{i}+s^{**}_{i-1} \end{array} $$

         (21)
      3. iii

         Encryption Procedure: the encryption mechanism in this case is done based on the following equation:

         $$ Enc(b)=\quad M_{0}r+ \begin{bmatrix} b\\0\\\cdots\\0\\\end{bmatrix} $$

         (22)

         where r is a random vector ∈{0,1}ⁿ.

      4. iv

         Decryption Procedure: the decryption mechanism at any level i is performed using the secret key s_i and applying the following equation:

         $$ Dec(c,i)=(\langle s_{i},c_{i} \rangle mod(q))mod(2) $$

         (23)
      5. v

         Homomorphic Properties: starting from two cipher-texts (c₁,i) and (c₂,i) at a level i, homomorphic properties can be done by the following:

         1. A.

            Addition: addition is simply performed by (c_add,i) = (c₁ + c₂,i).

         2. B.

            Multiplication: multiplication is performed by applying the tensor product over the two cipher-texts (c₁,i) and (c₂,i) at level i. The resultant cipher-text is then linearized by c^∗ = vect(c₁,c₂). Finally, the fresh cipher-text is calculated by \(c^{\prime }=Mc^{*}\)based on the KS technique and the public matrix M.

   2. (b)

      Making the Scheme Fully Homomorphic: the noise at level i is given by (sc_imod(q)). Noise level will be doubled after addition and squared after multiplication. In this way, a circuit of limited depth can be evaluated as long as the noise is lower than the modulus q. To evaluate deeper circuit, the Modulus Switching (MS) technique is introduced in the literature. MS is based on switching into another modulus (different than q) but the decryption is always possible. The key challenge with MS is that while having a cipher-text c with respect to a secret key s, a new cipher-text \(c^{\prime }\) for some modulus f < q should be built such that:

      $$ (\langle c^{\prime},s \rangle mod(f))mod(2)=(\langle c,s \rangle mod(q))mod(2) $$

      (24)

      Remark 3

      The detailed explanation, implementation and performance analysis of MS are given in [3, 11].

5. 5.

   BGV Crypt-analysis: The hardness of the BGV scheme is based on the hardness of Learning With Error (LWE) introduced by Oded Regev in [26, 29]. As far as we known, no attack is introduced in the literature against the BGV scheme.

3 Homomorphic hybrid symmetric encryption scheme (HHSES)

HHSES is a new symmetric encryption scheme obtained by mixing the homomorphic behavior of two well known symmetric variants: the MORE approach and the DF scheme. Following the scheme’s topology, homomorphic properties are based on polynomial operations over matrices. One main disadvantage of the new scheme is exponential cipher-text expansion due to polynomial multiplication over matrices. The scheme will suffer from high storage overhead and low performance especially when dealing with circuits of high depth. To resolve the latter problem, KS technique [3, 11] is applied to reduce the cipher-text dimension and hence improve its efficiency. One main characteristic of HHSES is its resistance against different types of attacks including the known plain-text/cipher-text attacks. A detailed explanation of designing the new scheme is presented in the next.

3.1 Building the scheme

In this part, we will describe the mathematical concept of the proposed HE cipher scheme including the security parameters in addition to encryption and decryption procedures.

3.1.1 HHSES parameters

HHSES parameters are a mix of both MORE and DF encryption parameters and are given as follows:

1. 1.

   λ: security parameter, based on the required security level.

2. 2.

   ψ: secret modulus, that represents the dimension of the private ring \(\mathbb {Z}_{\psi }\), where different plain-texts are chosen.

3. 3.

   N, RSA ring modulus: is given as \(N={\prod }^{m}_{i=1} f_i\), \(\{f_i\}\text {} ^{m}_{i=1}\) and f_i = p_iq_i such that p_i and q_i are two large prime integers, where m = O(poly(λ)).

4. 4.

   Ψ= ψ × N: is the public modulus that represents the dimension of the public ring \(\mathbb {Z}_{\Psi }\).

5. 5.

   d: cipher-text dimension, each plain-text is decomposed into d elements using the random decompose function of DF given in Section (3.1.2).

6. 6.

   r: invertible secret key, an invertible secret key chosen from the public ring \(\mathbb {Z}_{\Psi }\).

7. 7.

   K: invertible secret matrix given by K = (k_i,j), where \(k_{i,j} \in \mathbb {Z}_{\Psi }\). In our previous article [12], we proposed a lightweight and practical technique to generate an invertible random square matrix K as explained in Appendix A. The authors of [34] detected a vulnerability in this model if the dynamic key approach is not used, which is in contrast to the presented assumption and the main idea of this work. The strength of the enhanced MORE approach in resisting known plain-text/cipher-text attacks is weak as explained in details in Appendix B if the employed cryptographic primitives are static. Here, a new countermeasure is proposed against this vulnerability in the case of static cryptographic primitives are used. The proposed solution applies a new random model in generating the invertible secret matrix key K, which is based on the following steps.

   1. (a)

      Step 1: lower bound triangular matrix A, a random invertible lower bound matrix A of dimension (n × n) is generated based on the following form:

      $$ A= \begin{bmatrix} a_{1,1} &0&0&0&\cdots&0\\ a_{1,2}& a_{2,2}&0&0&\cdots&0\\ a_{3,1}&a_{3,2}&a_{3,3}&0&\cdots&0\\ {\vdots} & {\vdots} & {\vdots} & {\ddots} & {\vdots} \\ a_{n,1}&a_{n,2}&a_{n,3}&0&\cdots.&a_{n,n} \end{bmatrix} $$

      (25)

      The matrix A is created above such that gcd(a_i,i,Ψ) = 1 for i ∈{1,2,3,...,n}, thus (a_i,i)^− 1 ∈ Z_Ψ. The lower bound matrix A is invertible since \(Det(A)={\prod }^{n}_{i=1} a_{i,i}\) and \((Det(A))^{-1}={\prod }^{n}_{i=1} (a_{i,i})^{-1}.\)

   2. (b)

      Step 2: higher bound triangular matrix B, a random invertible matrix B of dimension (n × n) is generated based on the following form:

      $$ B= \begin{bmatrix} b_{1,1}&b_{1,2}&b_{1,3}&\cdots&b_{1,n}\\ 0&b_{2,2}&b_{2,3}&\cdots&b_{2,n}\\ 0&0&b_{3,3}&\cdots&b_{3,n}\\ {\vdots} & {\vdots} & {\ddots} & {\vdots} \\ 0&0&0&\cdots&b_{n,n} \end{bmatrix} $$

      (26)

      B is built such that gcd(b_i,i,Ψ) = 1. Higher bound matrix B is invertible since (Det(B))^− 1 exists in the ring Z_Ψ.

   3. (c)

      Step 3: random secret invertible matrix K Generation, the invertible matrix K is then given by A × B. (K)^− 1 exits and (K)^− 1 = (A × B)^− 1 = (B)^− 1 × (A)^− 1.

   Due to the new secret matrix K generation, the attack given in [34] is no more possible. It is mentioned previously that the latter attack profits from the linear relations existent within the matrix K given in (38). The new matrix generation presented is based on creating the invertible secret matrix K from random values where no clear patterns or linear relations exist among different elements of the matrix K. This new way of building K can generate odd and even matrices, while with the previous one ((38)) only matrices with even dimensions were possible.

3.1.2 Encryption procedure

Starting from a vector X = [x₁,x₂,...,x_k,...,x_l] of l plain-texts such that \(x_i \in \mathbb {Z}_{\psi }\), the encryption procedure is given by the following steps:

1. 1.

   DF Encryption Procedure: each element x_k ∈ X is decomposed and encrypted using DF cryptographic parameters (d and r) as follows:

   $$ \begin{array}{@{}rcl@{}} \left\{ \begin{array}{l} X_{1}=[x^{(1)}_{1}r, x^{(2)}_{1}r^{2} , ......, x^{(d)}_{1}r^{d}] \quad mod({\Psi})\\ X_{2}=[x^{(1)}_{2}r, x^{(2)}_{2}r^{2} , ......, x^{(d)}_{2}r^{d}] \quad mod({\Psi})\\ {\vdots} \\ X_{k}=[x^{(1)}_{k}r, x^{(2)}_{k}r^{2} , ......, x^{(d)}_{k}r^{d}] \quad mod({\Psi})\\ {\vdots} \\ X_{l}=[x^{(1)}_{l}r, x^{(2)}_{l}r^{2} , ......, x^{(d)}_{l}r^{d}] \quad mod({\Psi}) \end{array} \right. \end{array} $$

   (27)
2. 2.

   Matrix Polynomial Form: different vectors X₁,X₂,..,X_k,..,X_l given above are grouped by the following polynomial matrix form:

   $$ \begin{array}{@{}rcl@{}} P(t)&=&{\sum}^{i=d}_{i=1} diag(x^{(i)}_{1}r^{i}, x^{(i)}_{2}r^{i}, x^{(i)}_{3}r^{i},\ldots,x^{(i)}_{l}r^{i})t^{i} \quad mod({\Psi})\\& = &diag(x^{(1)}_{1}r, x^{(1)}_{2}r, x^{(1)}_{3}r,\ldots,x^{(1)}_{l}r)t+diag(x^{(2)}_{1}r^{2}, x^{(2)}_{2}r^{2}, x^{(2)}_{3}r^{2},\ldots,x^{(2)}_{l}r^{2})t^{2}\\&&+\ldots+diag(x^{(d)}_{1}r^{d}, x^{(d)}_{2}r^{d}, x^{(d)}_{3}r^{d},\ldots,x^{(d)}_{l}r^{d})t^{d} \quad mod({\Psi}) \end{array} $$
3. 3.

   MORE Encryption Procedure: finally an invertible secret matrix K is built using the matrix generation engine explained in Section 3.1.1. Thus, the encryption of the vector X is given by the following equation:

   $$ Enc(X)=K^{-1}\cdot P(t)\cdot K \quad mod({\Psi}) $$

   (28)

An illustration of the encryption procedure is given in Fig. 3.

Fig. 3

The proposed HHSES encryption algorithm

3.1.3 Decryption procedure:

HHSES is a symmetric encryption scheme, the decryption procedure is then the inverse of the encryption process. Hence, decryption is based on the following steps:

1. 1.

   Retrieving the Polynomial Matrix P(t): this is done by applying the following equation:

   $$ P(t)=K \cdot Enc(X) \cdot K^{-1} \quad mod({\Psi}) $$

   (29)
2. 2.

   Retrieving the X_i Vectors: once the polynomial matrix P(t) is retrieved, the following vectors are built \(X_{i}=[x^{(1)}_{i}r, x^{(2)}_{i}r^{2}, x^{(3)}_{i}r^{3},....,x^{(d)}_{i}r^{d}]\) for 1 ≤ i ≤ l.

3. 3.

   Retrieving the plain-texts vector X: after building the X_i vectors, the DF decryption procedure is applied as given in Section 2.2.3 to calculate the primitive plain-text vector X.

An illustration of the decryption procedure is given in Fig. 4.

Fig. 4

The corresponding decryption scheme of HHSES

3.2 Homomorphic properties

Starting from two different plain-text vectors X and Y of dimension l such that: X = [x₁,x₂,x₃,...x_l] and Y = [y₁,y₂,y₃,...y_l] where \(x_i, y_i \in \mathbb {Z}_{\psi }\). The encryption of X and Y using HHSES is given by: Enc(X) = K^− 1 ⋅ P_x(t) ⋅ K such that \(P_{x}(t)={\sum }^{i=d}_{i=1}diag(x^{(i)}_{1}r^{i}, x^{(i)}_{2}r^{i}, x^{(i)}_{3}r^{i},.....,\) \(x^{(i)}_{l}r^{i})t^{i} \quad mod({\Psi }).\) Enc(Y ) = K^− 1 ⋅ P_y(t) ⋅ K such that \(P_{y}(t)={\sum }^{i=d}_{i=1} diag(y^{(i)}_{1}r^{i}, y^{(i)}_{2}r^{i}, y^{(i)}_{3}r^{i},.....,\) \(y^{(i)}_{l}r^{i})t^{i} \quad mod({\Psi })\). Homomorphic properties are verified as follows:

1. 1.

   Addition: Enc(X+Y ) = Enc(X)+Enc(Y ) = K^− 1⋅P_x(t)⋅K+K^− 1⋅P_y(t)⋅K = K^− 1⋅(P_x(t)+P_y(t))⋅K = K^− 1⋅(P_x+y(t))⋅K Decryption is done by applying these steps:

   1. (a)

      Step1: K(Enc(X + Y )K^− 1 is calculated to retrieve P_x+y(t).

   2. (b)

      Step2: \(P_{x+y}(t)={\sum }^{i=d}_{i=1} diag((x^{(i)}_{1}+y^{(i)}_{1})r^{i}, (x^{(i)}_{2}+y^{(i)}_{2})r^{i}, (x^{(i)}_{3}+y^{(i)}_{3})r^{i},.....,(x^{(i)}_{l}+y^{(i)}_{l})r^{i})t^{i} \quad mod({\Psi }).\)

   3. (c)

      Step3: based on the polynomial P_x+y(t), the following vectors are retrieved as follows:

      $$ \begin{array}{@{}rcl@{}} \left\{ \begin{array}{l} X_{1}+Y_{1}=[(x^{(1)}_{1}+y^{(1)}_{1})r, (x^{(2)}_{1}+y^{(2)}_{1})r^{2},...,(x^{(d)}_{1}+y^{(d)}_{1})r^{d}]\\ X_{2}+Y_{2}=[(x^{(1)}_{2}+y^{(1)}_{2})r, (x^{(2)}_{2}+y^{(2)}_{2})r^{2},...,(x^{(d)}_{2}+y^{(d)}_{2})r^{d}]\\ \vdots\\ X_{l}+Y_{l}=[(x^{(1)}_{l}+y^{(1)}_{l})r, (x^{(2)}_{l}+y^{(2)}_{l})r^{2},...,(x^{(d)}_{l}+y^{(d)}_{l})r^{d}] \end{array} \right. \end{array} $$

      By applying the DF decryption procedure given in Section 2.2.3, it is simple to calculate X + Y = [x₁ + y₁,x₂ + y₂,...,x_l + y_l] and the scheme is additive homomorphic.

2. 2.

   Multiplication: Enc(X×Y ) = Enc(X)×Enc(Y ) = (K^− 1⋅P_x(t)⋅K)×(K^− 1⋅P_y(t)⋅K) = K^− 1⋅(P_x(t)×P_y(t))⋅K = K^− 1⋅(P_x×y(t))⋅K. Decryption is done by applying the following steps:

   1. (a)

      Step 1: K(Enc(X × Y ))K^− 1 is calculated to retrieve P_x×y(t).

   2. (b)

      Step 2:

      $$ \begin{array}{@{}rcl@{}} P_{x \times y}(t)&=&diag(({x^{1}_{1}}{y^{1}_{1}})r^{2},({x^{1}_{2}}{y^{1}_{2}})r^{2},....,({x^{1}_{l}}{y^{1}_{l}})r^{2})t^{2}\\& &+diag((x^{(1)}_{1}y^{(2)}_{1}+y^{(1)}_{1}x^{(2)}_{1})r^{3}, (x^{(1)}_{2}y^{(2)}_{2}+y^{(1)}_{2}x^{(2)}_{2})r^{3},\ldots, (x^{(1)}_{l}y^{(2)}_{l}\\ &&+y^{(1)}_{l}x^{(2)}_{l})r^{3})t^{3}+diag((x^{(1)}_{1}y^{(3)}_{1}+x^{(3)}_{1}y^{(1)}_{1}+x^{(2)}_{1}y^{(2)}_{1})r^{4}, (x^{(1)}_{2}y^{(3)}_{2}\\ &&+x^{(3)}_{1}y^{(1)}_{2}+x^{(2)}_{2}y^{(2)}_{2})r^{4},\ldots,(x^{(1)}_{l}y^{(3)}_{l}+x^{(3)}_{1}y^{(1)}_{l}+x^{(2)}_{1}y^{(2)}_{l})r^{4})t^{4}\\&&+\ldots+diag((x^{(d)}_{1}y^{(d)}_{1})r^{2d},(x^{(d)}_{2}y^{(d)}_{2})r^{2d},\ldots,(x^{(d)}_{l}y^{(d)}_{l})r^{2d})t^{2d} \end{array} $$
   3. (a)

      Step 3: based on the polynomial P_x×y, the following vectors are retrieved:

      $$ \begin{array}{@{}rcl@{}} \left\{ \begin{array}{l} X_{1} \times Y_{1}=[({x^{1}_{1}}{y^{1}_{1}})r^{2}, (x^{(1)}_{1}y^{(2)}_{1}+y^{(1)}_{1}x^{(2)}_{1})r^{3},(x^{(1)}_{1}y^{(3)}_{1}+x^{(3)}_{1}y^{(1)}_{1}+x^{(2)}_{1}y^{(2)}_{1})r^{4},....,(x^{(d)}_{1}y^{(d)}_{1})r^{2d}]\\ X_{2} \times Y_{2}=[({x^{1}_{2}}{y^{1}_{2}})r^{2}, (x^{(1)}_{2}y^{(2)}_{2}+y^{(1)}_{2}x^{(2)}_{2})r^{3},(x^{(1)}_{2}y^{(3)}_{2}+x^{(3)}_{2}y^{(1)}_{2}+x^{(2)}_{2}y^{(2)}_{2})r^{4},....,(x^{(d)}_{2}y^{(d)}_{2})r^{2d}]\\ \vdots\\ X_{l} \times Y_{l}=[({x^{1}_{l}}{y^{1}_{l}})r^{2}, (x^{(1)}_{l}y^{(2)}_{l}+y^{(1)}_{l}x^{(2)}_{l})r^{3},(x^{(1)}_{l}y^{(3)}_{l}+x^{(3)}_{l}y^{(1)}_{l}+x^{(2)}_{l}y^{(2)}_{l})r^{4},....,(x^{(d)}_{l}y^{(d)}_{l})r^{2d}] \end{array} \right. \end{array} $$

      after applying the DF decryption procedure given in Section 2.2.3, it is simple calculate X × Y = [x₁ × y₁,x₂ × y₂,....,x_l × y_l] and the scheme is multiplicative homomorphic.

3.3 Dimension growth and KS technique

In this part, KS technique is introduced to resolve HHSES dimension growth after homomorphic multiplication while preserving the homomorphic behavior of the scheme and the original plain-text. More details are presented in the next.

3.3.1 Cipher-text expansion

A main problem of the HHSES is the cipher-text dimension expansion after homomorphic multiplication. For example, as it is given in Section 3.2, the multiplication of two cipher-texts formed of d matrices will give a resultant cipher-text vector formed of 2d − 1 matrices. Following the same analogy of DF polynomial calculation and starting from 2^k cipher-texts each one formed of d matrices, the resultant cipher-text is formed of (2^k(d − 1) + 1) matrices. Thus, evaluating a multiplicative circuit with high depth becomes inefficient due to the high storage overhead. A practical solution to enhance the HHSES efficiency and to reduce the cipher-text dimension after each homomorphic multiplication is applying Key Switching (KS) technique.

3.3.2 KS technique for DF

As it is given previously in (19) and (20), the main idea of KS is to publish a matrix \(M \in \mathbb {Z}^{[H,d]}_{\Psi }\) (H = 2d − 1) that verifies the following:

\(M(s^{*} \rightarrow s)\) such that \(c^{\prime }=Mc^{*}\), (Dimension : (d,1) = (d,H) × (H,1)). KS was applied over DF encryption scheme as it is listed in [16]. The new secret key is given by \(s^{\prime }=[r^{\prime },{r^{\prime }}^{2},{r^{\prime }}^{3},....,{r^{\prime }}^{d}]\) and \(s^{\prime }_{inverse}=[r^{-1} \quad mod(m), r \in s^{\prime }]\) and \(t^{\prime }=[s^{\prime }(i)_{inverse}, 2 \leq i \leq d]\). The matrix M is of dimension (d,H) and is formed of two sub-matrices b and A having the following form \(\begin {bmatrix} b\\A\end {bmatrix}\). Matrix b forms the first row of the public matrix M and it is given by \(b=(-t^{\prime }A+\psi e+s^{*}_{inverse})r^{*} \in \mathbb {Z}^{[1,H]}_{\Psi }\). The matrix A is of dimension (d − 1,H) and is generated based on a uniform distribution over \(\mathbb {Z}_{\Psi }\). Different secret parameters \((s^{*}, s^{\prime }, \psi )\) are encrypted within the matrix M based on the hardness of LWE [26, 29] and e = [e₁,e₂,e₃,...,e_H] is a random Gaussian noise matrix. Given that \(c^{\prime }=Mc^{*}\), the following relations are demonstrated:

$$ \begin{array}{@{}rcl@{}} s^{\prime}_{inverse}c^{\prime} \quad mod(\psi)&=&s^{\prime}_{inverse}(Mc^{*}) \quad mod(\psi) =(s^{\prime}_{inverse}M)c^{*} - k \psi\\ &=&(\psi e+s^{*}_{inverse})c^{*}-k \psi\\&=&s^{*}_{inverse}c^{*}+ \psi(ec^{*}-k)\\&=&s^{*}_{inverse}c^{*} \quad mod(\psi) \end{array} $$

where \(k \in \mathbb {Z}\) and ((20), (19)) are both satisfied.

3.3.3 Applying KS technique for HHSES

Given a public matrix M generated based on Section 3.3.2.

$$ M=\begin{bmatrix} M_{1,1}& M_{1,2}& M_{1,3}& \cdots&M_{1,H}\\ M_{2,1}& M_{2,2}& M_{2,3}&\cdots&M_{2,H}\\ M_{3,1}& M_{3,2}& M_{3,3}&\cdots&M_{3,H}\\ {\vdots} & {\vdots} & {\vdots} & {\ddots} & {\vdots} \\ M_{d,1}& M_{d,2}& M_{d,3}&\cdots&M_{d,H} \end{bmatrix} $$

where \(M \in \mathbb {Z}^{[d,H]}_{\Psi }\) and a DF cipher-text C_mult obtained after multiplication that has the following form:

$$ \begin{array}{@{}rcl@{}} C_{mult}= \begin{bmatrix} ({x^{1}_{1}}{y^{1}_{1}})r^{2}\\ ({x^{1}_{1}}{y^{2}_{1}}+{y^{1}_{1}}{x^{2}_{1}})r^{3}\\ ({x^{1}_{1}}{y^{3}_{1}}+{x^{3}_{1}}{y^{1}_{1}}+{x^{2}_{1}}{y^{2}_{1}})r^{4}\\ \vdots\\ ({x^{d}_{1}}{y^{d}_{1}})r^{2d} \end{bmatrix} \in \mathbb{Z}^{[H=2d-1,1]}_{\Psi} \end{array} $$

The new fresh cipher-text C_Fresh of dimension [d,1] is given by C_Fresh = M × C_mult, where

$$ \begin{array}{@{}rcl@{}} C_{Fresh} = \begin{bmatrix} M_{1,1} \times ({x^{1}_{1}}{y^{1}_{1}})r^{2}+\cdots+ M_{1,H} \times ({x^{d}_{1}}{y^{d}_{1}})r^{2d}\\ M_{2,1} \times ({x^{1}_{1}}{y^{1}_{1}})r^{2} +\cdots+ M_{2,H} \times ({x^{d}_{1}}{y^{d}_{1}})r^{2d}\\ \vdots\\ M_{d,1} \times ({x^{1}_{1}}{y^{1}_{1}})r^{2}+\cdots+ M_{d,H} \times ({x^{d}_{1}}{y^{d}_{1}})r^{2d} \end{bmatrix} \in \mathbb{Z}^{[d,1]}_{\Psi} \end{array} $$

Given a cipher-text \(C^{HHSES}_{mult}\) obtained after homomorphic multiplication using HHSES, the latter is a polynomial matrix that has the following form: K^− 1 ⋅ (P_x×y(t)) ⋅ K, where K is the invertible secret matrix of HHSES and

$$ \begin{array}{@{}rcl@{}} P_{x \times y}(t)&=&diag(({x^{1}_{1}}{y^{1}_{1}})r^{2},({x^{1}_{2}}{y^{1}_{2}})r^{2},\cdots,({x^{1}_{l}}{y^{1}_{l}})r^{2})t^{2}\\ &&+diag((x^{(1)}_{1}y^{(2)}_{1}+y^{(1)}_{1}x^{(2)}_{1})r^{3}, (x^{(1)}_{2}y^{(2)}_{2}+y^{(1)}_{2}x^{(2)}_{2})r^{3},\cdots, (x^{(1)}_{l}y^{(2)}_{l}\\ &&+y^{(1)}_{l}x^{(2)}_{l})r^{3})t^{3}+diag((x^{(1)}_{1}y^{(3)}_{1}+x^{(3)}_{1}y^{(1)}_{1}+x^{(2)}_{1}y^{(2)}_{1})r^{4}, (x^{(1)}_{2}y^{(3)}_{2} + x^{(3)}_{1}y^{(1)}_{2}\\ &&+x^{(2)}_{2}y^{(2)}_{2})r^{4},...,(x^{(1)}_{l}y^{(3)}_{l}+x^{(3)}_{1}y^{(1)}_{l}+x^{(2)}_{1}y^{(2)}_{l})r^{4})t^{4}\\&&+\ldots+diag((x^{(d)}_{1}y^{(d)}_{1})r^{2d},(x^{(d)}_{2}y^{(d)}_{2})r^{2d},....,(x^{(d)}_{l}y^{(d)}_{l})r^{2d})t^{2d} \end{array} $$

\(C^{HHSES}_{mult}\) is a cipher-text formed of (2 × d − 1) matrices. The main concept of KS is to generate a new cipher-text \(C^{HHSES}_{Fresh}\) formed of d matrices without modifying the original plain-text. This can be achieved by building a global public matrix M_Global formed of d × H sub-matrices of dimension (l × l) each having the following form: \( \begin {bmatrix} K^{-1}diag(M_{i,j},M_{i,j},...M_{i,j})K \end {bmatrix}\) where 1 ≤ i ≤ d and 1 ≤ j ≤ H = 2d − 1. \(C^{HHSES}_{mult}\) is presented by the following form:

$$ \begin{array}{@{}rcl@{}} \begin{bmatrix} K^{-1} \times diag(({x^{1}_{1}}{y^{1}_{1}})r^{2},\cdots,({x^{1}_{l}}{y^{1}_{l}})r^{2}) \times K\\ K^{-1} \times diag((x^{(1)}_{1}y^{(2)}_{1}+y^{(1)}_{1}x^{(2)}_{1})r^{3},\cdots, (x^{(1)}_{l}y^{(2)}_{l}+y^{(1)}_{l}x^{(2)}_{l})r^{3}) \times K\\ {\vdots} \vdots\\ K^{-1} diag((x^{(d)}_{1}y^{(d)}_{1})r^{2d},\cdots,(x^{(d)}_{l}y^{(d)}_{l})r^{2d}) \times K \end{bmatrix} \end{array} $$

The following equation can than be demonstrated:

$$ C^{HHSES}_{Fresh}=M_{Global} \times C^{HHSES}_{mult} $$

(30)

4 HHSES security analysis

In this section, a deep security analysis is done for the HHSES to validate its high immunity against several types of attacks. Different security tests are implemented as given in [27] to show its immunity against statistical attacks and related key attacks, and to prove that the scheme provides the avalanche effect, the uniformity and the independence properties. Finally a theoretical crypt-analysis shows that the new scheme is resistant against known plain-text/cipher-text attacks. Different security tests are implemented under Python using Sagemath library with a personal laptop having the following specifications: OS Ubuntu 14.04, RAM 3.9 GB, Processor Intel Core i7 − 8550U CPU @ 1.8 GHZ, 64 bit, Disk 24.1 GB. For the HHSES implementation, the security parameter λ is taken 20, DF dimension d = 2, secret modulus ψ = 256. Different plain-texts are sampled as Bytes \( (\mathbb {Z}_{\psi =256})\) from a Gaussian distribution having a mean value μ = 128 and standard deviation σ = 16.

Remark 4

During the encryption procedure, DF dimension is taken d = 2 (in Section 5.4, a theoretical crypt-analysis shows that the scheme is resistant to known plain-text/cipher-text attacks even with the lowest DF dimension, d = 2). The resultant cipher-text C = [C₁,C₂] is then formed of 2 matrices.

Remark 5

Different elements of the cipher-text C = [C₁,C₂] are in the ring \(\mathbb {Z}_{\Psi }\) (Ψ is the public modulus). To accomplish distribution, recurrence, correlation and entropy tests cipher-texts are converted to the Bytes level as illustrated in Fig. 5. In the latter figure, each element (c ∈ C_i)_{(1≤i≤ 2)} of the cipher-text C is decomposed into bits \([{b^{i}_{1}},{b^{i}_{2}},.....,b^{i}_{\lceil log_{2} \rceil ({\Psi })}]_{(1 \leq i \leq 2)}\), then the (⌈log₂⌉(Ψ)) bits for each cipher-text are grouped by sets of 8 bits and converted into integers to form the new cipher-text at the byte level \([{B^{i}_{1}}, B^{i}_2,.....,B^{i}_{\frac {\lceil log_{2}}{ \rceil ({\Psi }){8}}}]_{(1 \leq {i} \leq {2})}\), where \(B^{i}_{j} \in \mathbb {Z}_{256}\).

Fig. 5

Cipher-text byte conversion procedure

4.1 Resistance against statistical attacks

Resistance against statistical attacks is assured by the proposed scheme while providing a high level of randomness. Thus, the resultant cipher-text should present the independence and uniformity criteria. Uniformity can be proved visually by plotting the histogram of the cipher-texts and applying the entropy test. On the other hand, the independence property is validated visually by plotting the recurrence of the encrypted data and calculating the percentage of difference in bit level between the original and the encrypted data (difference test) and the correlation between the original and the encrypted data. All these tests are applied in the following sections to prove the resistance of the scheme against the statistical attacks.

Fig. 6

Distribution test for a random original message M (a) and for two cipher messages C₁ (b) and C₂ (c) obtained by using the proposed HHSES scheme with a random secret key

4.1.1 Uniformity property

1. 1.

   Distribution Test: To guard against statistical attacks, a good crypto-system should give a distribution close to uniform among the cipher-texts. The distributions of the plain-texts and their correspondent cipher-texts are given in Fig. 6. The plain-texts’ distribution is Gaussian where different data messages are close to each other (low standard deviation as given previously). After applying the HHSES scheme over a plain-texts message M of size 16 Bytes, one can visually detect that the two cipher-texts’ distributions are close to uniform and no clear pattern is shown. Thus, an attacker is unable to reveal the plain-texts’ distribution after drawing the two cipher-texts’ distributions. Hence, the scheme is resistant against statistical attacks.

2. 2.

   Entropy Test: The entropy is used to measure the level of uncertainty in a random variable. The entropy of a message m is calculated by the following equation:

   $$ \sum\limits_{i=0}^{2^{\Theta}-1} p(m_{i})log_{2}\frac{1}{p(m_{i})} $$

   (31)

   p(m_i) represents the probability of occurrence of symbol m_i and 2^Θ is the total states of information source. A truly random entropy is equal to Θ. As given in Fig. 5, the cipher-texts are transformed into the Byte level \((\mathbb {Z}_{256}, 2^{8}=256)\), thus the resultant cipher-texts of the HHSES are considered as a truly random source if the entropy values are close to 8. In Fig. 7, the entropy values are calculated for both cipher-texts C₁ and C₂ for 10000 iterations and for a plain-texts message M of 16 Bytes.

   Fig. 7

   

   Variation of the entropy test for the obtained cipher-text C1 (a) and C₂ (b) for 10000 random secret keys

   In the presented figure, the red dots present the different entropy values obtained by implementing the entropy tests over the cipher-texts and the blue line represents the ideal value (equal to 8 in our case). The obtained results gave for cipher-text C₁ a mean value equal to 7.996 with a low standard deviation equal to 0.000361 and for cipher-text C₂ a mean value equal to 7.9959 with a low standard deviation equal to 0.0003666 as given in Table 2. After analyzing the obtained results, one can deduce that the different obtained entropy values are close to the ideal value (8) for both cipher-texts. Thus, the HHSES scheme presents the required uniformity.

Table 2 Statistical analysis result for the different security tests

4.1.2 Independence property

As mentioned previously, several tests can be done to prove the independence criterion which are the recurrence, correlation and difference tests.

1. 1.

   Recurrence Test: Starting from a data sequence x_i = x_(i,1),x_(i,2),x_(i,3),....,x_(i,m) and vector with delay t ≥ 1 constructed by x_i(t) = x_(i,t),x_(i,2t),x_(i,3t),...,x_(i,mt), the recurrence test is achieved by calculating the correlation among these two sequences to measure the evolution of randomness. Figure 8a represents the correlation among x_i(t) and x_i(t + 1) for the plain-text while Fig. 8b and c are for both cipher-texts C₁ and C₂. For the plain-texts, we used a Gaussian distribution with a mean value equal to 128 with a low standard deviation as given in Fig. 8a. After applying the HHSES over a plain-texts’ message M of size 16 Bytes, Fig. 8b and c present a high level of randomness among the cipher-texts and no clear pattern is shown after the encryption process.

2. 2.

   Difference Test: The difference test consists of calculating the difference at the bit level between the plain-texts and their correspondent cipher-texts. To achieve the independence property, a good crypto-system should at least give 50% difference at the bit level between the plain-texts and the cipher-texts. In Fig. 9, the difference test is applied for a plain-texts message M of size 16 Bytes for 10000 iterations. As given in Table 2, mean value for cipher-text C₁ is equal to 49.998 with a low standard deviation equal to 0.08299 and for cipher-text C₂ the mean value is equal to 49.9977 with a low standard deviation equal to 0.08345. Thus, one can deduce that difference values at the bit level between cipher-texts and plain-texts (red dots) are close to the ideal value (50: blue line) and the new scheme provides the independence property.

3. 3.

   Correlation Test: The correlation coefficient between a cipher-text message y and its correspondent plain-text message x is given by the following equation:

   $$ \begin{array}{@{}rcl@{}} \rho_{x, y}=&{}{}&\frac{cov (x,y)} {\sqrt{D(x)\times{D(y)}}}\\ && \text{where} cov (x,y)=E [\{x-E(x)\}\{y-E(y)\}]; \\ && E(x)=\frac{1}{n}\times {\sum}_{k=1}^{n} x_{i} \\ && {} \text{and} D(x)=\frac{1}{n}\times \sum\limits_{k=1}^{n} \{{x_{i}-E[x]\}}^{2} \end{array} $$

   (32)

   A good crypto-system that satisfies the independence property should present a low correlation (close to zero) between the plain-texts and the cipher-texts distribution. In Fig. 10, the correlation for 10000 iterations for a plain-text message M of size 16 Bytes with its corresponding cipher-texts is calculated. As presented in Table 2, the correlation’s mean value between cipher-text C₁ and the plain-texts message M is equal to 9.10129 × 10^− 5 with a low standard deviation equal to 0.0047077. For cipher-text C₂, the correspondent mean value is equal to 0.000124 with a low standard deviation equal to 0.004748. Hence, the resultant scheme provides the required property of in-dependency, since different correlation values (red dots) are close to the ideal correlation value which is zero (blue line).

Fig. 8

Recurrence test for a random original message M (a) and for two cipher messages C₁ (b) and C₂ (c) obtained by using the proposed HHSES scheme with a random secret key

Fig. 9

Variation of the difference test with respect to the plain-text M for the obtained cipher-text C1 (a) and C₂ (b) for 10000 random secret keys

Fig. 10

Variation of the correlation test with respect to the plain-text M for the obtained cipher-text C₁ (a) and C₂ (b) for 10000 random secret keys

4.2 Resistance against related key attacks

A crypto-system that ensures a high resistance against related key attacks should give a high level of Key Sensitivity (KS) where the cipher-text should ensure a (KS) result close to 50. Thus, the KS test consists on calculating the difference between the cipher-texts at the bit level after doing a slight change in the encryption key. Indeed, the sensitivity of w^th secret key \(K_{w}^{\lq {}}\) is calculated as follows:

$$ KS_{w}= \frac{{\sum}_{k=1}^{T} E_{K_{w} } \oplus E_{K_{w}^{\prime}}}{T}\times 100\% , $$

(33)

where all the elements of \(K_{w}^{\lq {}}\) are equal to those of K_w, except a random Least Significant Bit (LSB) of a random byte, T is the length of the original and cipher-text packets (in bits), and w = 1,2,…,10000. Figure 11 presents the result for 10000 iterations for a plain-texts’ message M of 16 Bytes. Mean values are close to 50 with a low standard deviation as given in Table 2 (C₁: Mean Value= 50.00208, Std= 0.082217 and C₂: Mean Value= 50.002986, Std= 0.084065). Thus, KS values obtained by implementation (red dots) are concentrated close to the ideal KS value (50), and the scheme provides the required Key Sensitivity property.

Fig. 11

Variation of the KS test for the obtained cipher-text C₁ (a) and C₂ (b) for 10000 random secret keys.

4.3 Resistance to known plain-text/cipher-text attacks

In this section, the resistance of the HHSES against the known plain-text/cipher-text attacks is first evaluated by testing its avalanche effect while using the Plain-text Sensitivity (PS) test. Second, a theoretical crypt-analysis shows mathematically that the concerned scheme is immune against the concerned attack even with the lowest DF dimension d = 2.

4.3.1 Avalanche effect

A good crypto-system should satisfy the avalanche effect. The avalanche effect can be interpreted by a significant change in the cipher-text due to a slight change in the plain-text. A good measure for the avalanche effect is the Plain-text Sensitivity (PS) test which gives the difference at the bit level between the resultant cipher-texts of two plain-texts that differ only in 1 bit. A crypto-system that satisfies the avalanche effect should at least give 50% difference. Figure 12 gives the result of this test for 10000 iterations for a plain-texts message M of 16 Bytes. Mean values are close to 50 with a low standard deviation as given in Table 2 (C₁: Mean Value= 49.99929, Std= 0.08173, C₂: Mean Value= 50.00017, Std= 0.0845123). One can deduce that the HHSES presents the avalanche effect since different PS values (red dots) are concentrated close to the ideal value (50) (blue line).

Fig. 12

Variation of the PS test for the obtained cipher-text C₁(a) and C₂ (b) for 10000 random secret keys

4.3.2 Theoretical crypt-analysis

As mentioned previously, HHSES is a new symmetric HE scheme based on mixing the homomorphic behavior of two well known symmetric HE schemes: the MORE approach and the DF scheme.

As given in Sections 2.2.1 and 2.2.3, MORE approach and DF scheme are sensible to known plain-text/cipher-text attacks where revealing secret parameters for both is possible for each with a certain probability.

In this part, it is shown theoretically that the HHSES is resistant against the known plain-text/cipher-text attacks. It is also demonstrated that the implementation of the new scheme is secure even with the lowest possible DF dimension (d = 2).

Having Θ plain-texts’ vectors \(X^{j}=[{x^{j}_{1}}, {x^{j}_{2}}]\) where 1 ≤ j ≤Θ with their respective cipher-texts:

$$ \begin{array}{@{}rcl@{}} C^{j}=[C^{j,(1)}=\begin{bmatrix} C^{j,(1)}_{11} & C^{j,(1)}_{12}\\ C^{j,(1)}_{21}& C^{j,(1)}_{22} \end{bmatrix} =K^{-1} \begin{bmatrix} x^{j,(1)}_{1}r&0\\ 0& x^{j,(1)}_{2}r \end{bmatrix}K, \\ C^{j,(2)}=\begin{bmatrix} C^{j,(2)}_{11} & C^{j,(2)}_{12}\\ C^{j,(2)}_{21}& C^{j,(2)}_{22} \end{bmatrix}= K^{-1}\begin{bmatrix} x^{j,(2)}_{1}r^{2}&0\\ 0& x^{j,(2)}_{2}r^{2} \end{bmatrix}K] \quad mod({\Psi}) \end{array} $$

We suppose the existence of an attacker who knows the Θ couples of plain-text/cipher-text \((X^{j}=[{x^{j}_{1}},{x^{j}_{2}}],C^{j}=[C^{j,(1)}, C^{j,(2)}], \quad 1 \leq j \leq {\Theta })\) and who’s trying to reveal the HHSES secret parameters (i.e. the secret modulus ψ, the secret invertible key r and the secret invertible matrix K) by doing the following two steps:

1. 1.

   Revealing ψ and r: in order to reveal the secret parameters ψ and r, the attacker will try to calculate the (4 ×Θ) DF values that are \((x^{j,(1)}_{1}r, x^{j,(1)}_{2}r, x^{(j,2)}_{1}r^{2}, x^{j,(2)}_{2}r^{2})\) that form the eigen values of matrices C^j,(1) and C^j,(2) respectively. This can be done by calculating the roots of the (2 ×Θ) characteristic polynomials P^j,(1)(α) of C^j,(1) and P^j,(2)(α) of C^j,(2) that are given by:

   $$ \begin{array}{@{}rcl@{}} P^{j,(1)}(\alpha)= {\alpha}^{2}-\alpha(C^{j,(1)}_{11}+C^{j,(1)}_{22})+C^{j,(1)}_{11}C^{j,(1)}_{22}-C^{j,(1)}_{21}C^{j,(1)}_{12} \quad mod({\Psi})\\ P^{j,(2)}(\alpha)= {\alpha}^{2}-\alpha(C^{j,(2)}_{11}+C^{j,(2)}_{22})+C^{j,(2)}_{11}C^{j,(2)}_{22}-C^{j,(2)}_{21}C^{j,(2)}_{12} \quad mod({\Psi}) \end{array} $$

   Calculating the roots of P^j,(1)(α) and P^j,(2)(α) is a hard task due to Rabin’s crypto-system that is reduced to the problem of factoring \({\Psi }=\psi \times {\prod }^{m}_{i=1} (p_{i}\times q_{i})\). Thus revealing the (4 ×Θ) DF values \((x^{j,(1)}_{1}r, x^{j,(1)}_{2}r, x^{j,(2)}_{1}r^{2}, x^{j,(2)}_{2}r^{2})\) is a hard task for the attacker, which makes revealing r and ψ also a hard task.

2. 2.

   Revealing the Secret Invertible matrix K: the columns of the secret invertible matrix K are the eigen vectors of the (2 ×Θ) matrices C^j,(1) and C^j,(2). Calculating those eigen vectors while knowing the eigen values is done by applying (7). The attacker is unable to apply the procedure of (7) with HHSES even while knowing the Θ couples \((x^{j}=[{x^{j}_{1}},{x^{j}_{2}}],C^{j}=[C^{j,(1)}, C^{j,(2)}])\). The latter hardness is based on the fact that the eigen values of C^j,(1) and C^j,(2) are not \({x^{j}_{1}}\) and \({x^{j}_{2}}\), otherwise they are the (4 ×Θ) random values (\((x^{j,(1)}_{1}r, x^{j,(1)}_{2}r, x^{j,(2)}_{1}r^{2}, x^{j,(2)}_{2}r^{2})\)) generated based on the DF encryption algorithm and secret parameters. In addition, revealing (\((x^{j,(1)}_{1}r, x^{j,(1)}_{2}r, x^{j,(2)}_{1}r^{2}, x^{j,(2)}_{2}r^{2})\)) is a hard task due to Rabin’s crypto-system as it is mentioned in the previous step.

Table 2 presented below shows the maximum, the minimum, the mean, and the standard deviation values of different security test results listed previously and implemented to evaluate the security level of the concerned scheme and its immunity against a big variety of attacks.

5 Experimentation and performance analysis

In this section, the performance of the new scheme HHSES is compared with three well known symmetric schemes: the MORE approach, the PORE approach, and the DF scheme. It is also compared with the famous asymmetric scheme BGV. The comparison is done in terms of execution time for the different basic cryptographic functions: encryption, decryption, homomorphic addition, and homomorphic multiplication. Different implementations are done under Python using SageMath library with a personal laptop having the following specifications: OS Ubuntu 14.04, RAM 3.9 GB, Processor Intel Core i7 − 8550U CPU @ 1.8 GHZ, 64 bit, Disk 24.1 GB.

5.1 Comparison with symmetric schemes

To accomplish the required comparison, the four different symmetric encryption schemes (HHSES, DF, MORE and PORE) are implemented with the same level of security (security parameter λ = 20), the same plain-texts message size l in Bytes (varied from 8 Bytes till 128 Bytes) and the same cipher-texts range of storage overhead. Different plain-text inputs are sampled as Bytes from the ring \(\mathbb {Z}_{256}\). For different operations, the mean execution time is calculated for 50 iterations.

1. 1.

   HHSES Performance Analysis: as it was proven in the previous section (HHSES Security Analysis), the concerned scheme is resistant against different types of attacks and especially the known plain-text/cipher-text attacks even with the lowest possible DF dimension d = 2. Thus, HHSES is implemented with DF dimension dimension d = 2. The evolution of different operations execution time of the HHSES in function of the plain-texts message size l is presented in the two tables below: Tables 3 and 4. KS is adopted for the HHSES in order to preserve the cipher-texts dimension after each homomorphic multiplication (Section 3.3). In Table 3, Mean Total Multiplication time refers to the basic time of multiplication with the KS operation. In Table 4, different execution time values for multiplication as a function of the message size in Bytes provided with the public matrix M generation (Section 3.3) are present in details.

   After examining different results published in both Tables 3 and 4, one can deduce that the execution times of different HHSES cryptographic and arithmetic functions and storage overheads increase with the increase of the message size l in Bytes.

   Table 3 HHSES execution time in seconds (λ = 20)

   Table 4 HHSES KS time in seconds (λ = 20)

   Remark 6

   During the HHSES performance analysis, DF dimension is fixed to d = 2 based on the security analysis of the scheme. Starting from a security parameter λ = 20, implementation has shown that the HHSES cipher-text public modulus N (explained in Section 3) size in Bytes is 176 (parameter m = 5, prime integers p_i and q_i taken of size 16 Bytes and \(N={\prod }^{m}_{i=1} f_{i}\), \(\{f_{i}\}\text {} ^{m}_{i=1}\) where f_i = p_iq_i). Thus, the encryption of a plain-texts message of size l Bytes will output a cipher-text C = [C₁,C₂] formed of 2 matrices (C₁) and (C₂) each of dimension l × l. The cipher-text C size in memory will be (l × l × 2 × 176) Bytes. For example with l = 8 the cipher-text C in Bytes will be 8 × 8 × 2 × 176 = 22528 as mentioned in Table 3.

2. 2.

   DF Performance Analysis: the evolution of different operations execution time for the DF scheme in function of the message size l is shown in Table 5. Parameter d represents the DF cipher-text dimension as given in Section 2.2.3.

   Table 5 DF execution time in seconds (λ = 20)

   After examining different metrics given in Table 5, one can deduce that with the increase of the plain-texts message size l and the DF parameter d different execution times and storage overheads increase. As for the comparison between the HHSES and the DF schemes, different implementations for both schemes should be driven with the same level of security (i.e. security parameter λ is taken 20 for both HHSES and DF schemes) and the same level of cipher-texts storage overhead. Achieving the same level of storage overhead for both DF and HHSES while encrypting two plain-texts messages having the same size l in Bytes is accomplished as follows: during this implementation the secret modulus of DF scheme \(m^{\prime }\) is taken 256 (i.e. plain-texts are taken a Bytes) and λ = 20, the public modulus is then m = (256)²⁰ (as explained in Section 2.2.3). The size of the resultant public modulus m in Bytes is then 20. Thus, starting from a plain-texts message of length l, the DF cipher-texts message size in Bytes will be (l × d × 20). Hence, the correspondent DF parameter d required to generate a DF cipher-texts message having the same range of storage overhead for a given HHSES cipher-texts message (also related to a plain-texts message of size l) is calculated by applying the following formula \(\displaystyle {\lfloor \frac { Required\_Storage\_HHSES\_Overhead\_Bytes }{l \times 20}\rfloor }\). For example as given in Table 5, to achieve a DF cipher-texts of dimension close to the correspondent HHSES cipher-texts size (22528 Bytes as given in Table 3) for a plain-texts message of length l = 8 Bytes, \(d=\displaystyle {\lfloor \frac { 22528 }{8 \times 20} \rfloor }=140\). A practical way to compare between the performance of both HHSES and DF schemes in terms of different metrics given in Tables 3 and 5 is to calculate the following ratio \(\displaystyle {\epsilon =\frac {HHSES\_Metric}{DF\_Metric}}\) as given in Table 6 below:

   Table 6 Ratio between HHSES and DF schemes

   By analyzing different results given in Table 6, one can deduce that with the same plain-texts message length (l varied from 8 till 128 Bytes), the same level of security (λ = 20) and the same range of storage overhead (Storage Overhead 𝜖’s are close to 1), the HHSES is performing better than the DF scheme in terms of execution time since the majority of the 𝜖’s values related to execution times are lower than 1. Given that the DF scheme suffers from vulnerability to the known plain-text/cipher-text attacks (Section 2.2.3) and the HHSES presents the immunity against this type of attacks (Section 4.3), it is clear that the HHSES scheme is more implementable and practical than the DF scheme in real world applications.

3. 3.

   MORE Performance Analysis: different execution times for different functions related to the MORE approach while varying the plain-texts message size l in Bytes are presented in Table 7. Matrix_Dim represents the matrix dimension of the MORE approach as given in Section 2.2.1.

   Table 7 MORE execution time in seconds (λ = 20)

   It is clear from Table 7, that with the increase of the plain-texts message size l and the MORE matrix dimension Matrix_Dim, different execution times and storage overheads will increase.

   Based on the MORE encryption procedure listed in Section 2.2.1, the encryption of plain-texts message of size l Bytes will output a cipher-texts message of size (l × Matrix_Dim × Matrix_Dim × N_Size_Bytes) Bytes where N_Size_Bytes is the size in Bytes of N (the MORE cipher-text public modulus). Implementation has shown, that with a security parameter λ = 20, public modulus N size in Bytes (N_Size_Bytes) is 159 (parameter m = 5, prime integers p_i and q_i are taken of size 16 Bytes and \(N={\prod }^{m}_{i=1} f_{i}\), \(\{f_{i}\}\text {} ^{m}_{i=1}\) where f_i = p_iq_i). Hence, to generate a MORE cipher-texts message with a storage overhead close to a given HHSES cipher-texts message while both having the same plain-texts message size l, Matrix_Dim should be estimated as follows: \(\displaystyle {\lfloor \sqrt {\frac {Required\_Storage\_HHSES\_Overhead\_Bytes}{l \times 159}} \rfloor }\). The comparison between both HHSES and MORE schemes in terms of different metrics presented in Table 3 and Table 7 is accomplished like the case of DF scheme and presented in Table 8 below:

   Table 8 Ratio between HHSES and MORE schemes

   As given in Table 8, for the same plain-texts message size l in Bytes, the same security parameter λ and the same range of storage overhead (Storage Overhead 𝜖) for both MORE and HHSES schemes, MORE is performing better than the HHSES in terms of execution time since the majority of 𝜖’s values related to execution times are greater than 1. Based on the crypt-analysis of the MORE approach discussed in Section 2.2.1, the latter scheme is vulnerable to the known plain-text/cipher-text attacks while the HHSES presents simultaneously the efficiency in implementation and the high immunity against a big variety of attacks and specifically the known plain-text/cipher-text attacks.

4. 4.

   PORE Performance Analysis: the variation of execution time of different cryptographic and analytic functions related to the PORE scheme while varying the plain-texts message size in Bytes is given in the following Table 9. N_bits represents the number of bits related to the PORE public modulus N (Section 2.2.2).

   Table 9 PORE execution time in seconds (λ = 20)

   After analyzing different values present in Table 9, one can deduce that with the increase of plain-texts message size l, different execution times and storage overheads will increase.

   As for the comparison between the performance of HHSES and PORE schemes, the same principle adopted for both DF and MORE schemes is applied. The two schemes (HHSES and PORE) should be implemented with the same level of security (λ = 20), the same plain-texts message size l in Bytes and the same range of storage overhead. Given that the PORE cipher-text dimension is limited to 2 numbers (C = (c₁,c₂)), a practical way to control the PORE cipher-texts message size is to vary the size of the PORE public modulus N (explained in Section 2.2.2). Hence, encrypting a plain-texts message of size l Bytes under the PORE scheme will output a cipher-texts message having the same range of storage overhead of that of a given HHSES cipher-texts message related also to a plain-texts message of size l Bytes if the PORE public modulus N size in Bytes is estimated by using the following formula \(\lfloor \displaystyle {\frac {Required\_Storage\_HHSES\_Overhead\_Bytes}{2 \times l}} \rfloor \). For example, starting from a plain-texts message size of l = 8 Bytes, to achieve under the PORE a cipher-texts message of size close to 22528 Bytes (HHSES cipher-texts message size in Bytes for l = 8 Bytes as given in Table 3) the size of the PORE public modulus \(N= \lfloor \displaystyle {\frac {22528}{2 \times 8}} \rfloor =1408\) Bytes (i.e 1408 × 8 = 11264 bits). The parameter m is taken equal to 5, both prime integers p_i and q_i are taken of size 140 Bytes in this case and \(N={\prod }^{m}_{i=1} f_{i}\), \(\{f_{i}\}\text {} ^{m}_{i=1}\) where f_i = p_iq_i. The comparison between the performance of HHSES and PORE is accomplished similar to that of DF and PORE and presented in Table 10.

   Table 10 Ratio between HHSES and PORE schemes

   Based on Table 10, one can deduce that the PORE approach is performing better than the HHSES in terms of execution times since all 𝜖’s values related to execution times are greater than 1. We recall that the PORE Approach is vulnerable to known plain-text/cipher-text attack (Section 2.2.2), where the attack can be driven while knowing only one couple of plain-text/cipher-text. On the other hand, the HHSES presents efficiency in implementation and high immunity against attacks.

5.2 Comparison with asymmetric schemes

In this Section, the performance of the HHSES scheme is compared with the well known asymmetric BGV scheme. Starting from the same level of security (λ = 10), a plain-texts message is taken from the ring \(\mathbb {Z}_{256}\) where its size is varied from 2 Bytes till 7 Bytes. Hence, different results are published as follows:

1. 1.

   HHSES Performance Analysis: implementations given in Tables 11 and 12 are similar to Tables 3 and 4 (the security parameter λ is taken 10 instead of 20). It is clear that with increase of the plain-texts message size l, different execution times of different operations and storage overheads will also increase.

2. 2.

   BGV Performance Analysis: Table 13 presents the execution times of the BGV scheme for different operations are given (similar to the HHSES scheme). Latt_Dim represents the lattice dimension (BGV cipher-text dimension). In Table 14, detailed execution times for homomorphic multiplication (basic multiplication and KS technique) and public matrix M generation (Section 2.3) are shown. Based on these two tables, different execution times and storage overheads are increasing with the increase of the plain-texts message Size l and the lattice dimension (Latt_Dim).

   Table 11 HHSES execution time in seconds (λ = 10)

   Table 12 HHSES KS time in seconds (λ = 10)

   Table 13 BGV execution time in seconds (λ = 10)

   Table 14 BGV KS time in seconds (λ = 10)

   As mentioned in the previous Section 5.1, to achieve a good comparison between different encryption schemes, implementations should be accomplished with the same security parameter λ, the same plain-texts message size l in Bytes and the same range of storage overhead. Achieving for a BGV cipher-texts message the same size in Bytes of a given HHSES cipher-texts (Required_Storage_HHSES_Overhead_Bytes) starting from the same plain-texts message size l is done as follows: based on [4], a secure implementation of the BGV scheme is assured as long as Latt_Dim≅poly(λ) and the BGV public modulus q≅poly(Latt_Dim). Hence starting from Latt_Dim≅poly(λ) and q≅(Latt_Dim)^g where \(g \in \mathbb {Z}\), for a plain-texts message of size l in Bytes, the resultant cipher-texts message size in Bytes after applying the BGV scheme is equal to \(\lceil \displaystyle { \frac {l \times Latt\_Dim \times log(Latt\_Dim)^{g}}{8 \times log(2)} \rceil }\). Thus, to achieve the required level of storage overhead for a BGV cipher-texts message, g is estimated by the following formula \(\displaystyle {g= \lfloor \frac {Required\_Storage\_HHSES\_Overhead\_Bytes \times 8 \times log(2)}{l \times Latt\_Dim \times log(Latt\_Dim)}}\rfloor \). For example, as given in Table 13 for l = 2 and Latt_Dim = 13 to achieve for BGV a cipher-texts message of size 896 Bytes (Required_Storage_HHSES_Overhead_Bytes given in Table 11), \(\displaystyle {\lfloor g=\frac {896 \times 8 \times log(2)}{2 \times 13 \times log(13)} \rfloor =74}\) and q≅(13)⁷⁴. The comparison between the HHSES and the BGV schemes is accomplished a given in Tables 6, 8 and 10 and given in Tables 15 and 16.

Table 15 Ratio between HHSES and BGV schemes

Table 16 Ratio between BGV and HHSES for KS operation

Based on the results given in Tables 15 and 16, it is obvious that the HHSES is performing better than the BGV scheme in terms of execution time given that different 𝜖’s values related to execution times are lower than 1. Given that both schemes are immune against the known plain-text/cipher-text attacks, one can conclude that the HHSES is considered as a good competent for the well known BGV scheme.

5.3 Multiplicative circuit evaluation

Another way to compare the performance of the different encryption schemes (DF, HHSES and BGV) is to evaluate the multiplicative circuit of depth l given in Fig. 13. The 3 schemes listed previously suffer from cipher-text expansion after homomorphic multiplication and KS technique can be adopted as a practical solution to reduce this expansion and improve their efficiency.

Fig. 13

Multiplicative circuit of depth l

In Fig. 14, the circuit evaluation using the HHSES is compared with an evaluation that adopts the basic DF scheme given in [7] and another version of it that adopts the DF scheme implemented with KS as presented in [16]. Different schemes are implemented with the same security level (security parameter λ = 60) over a plain-text message of size 2 Bytes and by varying the circuit depth l from 2 till 14 and taking the DF dimension d respectively 2, 3 and 5 for DF and HHSES. Different execution times in Fig. 14 represent the mean values of 10 iterations and illustrated in seconds using a log scale. After examining different results, it is clear that with the increase of the circuit depth different execution times are increasing linearly. A deep analysis of the concerned results shows that the main importance of the HHSES comes with complex circuits of high depth (l ≥ 6) since DF with KS takes the lowest execution time afterward comes HHSES and the highest execution time is preserved for DF without KS. The main contribution of HHSES is that with circuits of high depth, such as the case of real-life applications, the latter is a symmetric scheme that provides, simultaneously, the efficiency in implementation and the immunity against different types of attacks including the known plain-text/cipher-text attacks. On the other hand, DF with KS is efficient but it is compromised where a known plain-text/cipher-text attack is possible while knowing at least d couples of plain-text/cipher-text as given in [16, 35].

Fig. 14

Multiplicative circuit evaluation for HHSES and DF

In Fig. 15, the evaluation procedures of the circuit given in Fig. 13 using both asymmetric BGV and symmetric HHSES are illustrated. Starting from the same security parameter (λ = 10) and a plain-text message of size 2 Bytes for both, the circuit depth is varied from 1 till 5. As for HHSES, DF dimension d is varied between 10, 25, and 50 respectively. For BGV the lattice dimension is chosen 5, 7, and 10 respectively. Different results in Fig. 15 also present the mean execution time of 10 iterations given in seconds and illustrated using a log scale. It is clear from the given results that with the increase of circuit depth l, execution times are increasing linearly. A deep examination of the obtained results shows that HHSES with d = 10 is taking the lowest execution time then come respectively HHSES with d = 25, BGV with lattice dimension= 5, HHSES with d = 50, BGV with lattice dimension= 7 and finally BGV with lattice dimension= 10 is taking the highest execution time. In conclusion, HHSES can be considered as a good candidate in comparison with the well known and famous BGV scheme. Hence, the proposed solution is a symmetric HE cipher, and it requires simple operations and a lower number of rounds. Thus, the proposed solution can ensure better efficiency compared to existing asymmetric ones. Moreover, the proposed solution reaches resistance against crypt-analysis as discussed in Section 4. Equally important, the storage overhead can be reduced according to the selected encryption parameters (configuration). This discussion indicates clearly that the proposed solution can reach a good level of efficiency and robustness.

Fig. 15

Multiplicative circuit evaluation for HHSES and BGV

6 HHSES optimization using CRT

HE schemes are characterized by having a high storage overhead in comparison with traditional encryption schemes, which reflects a high computational complexity in the encryption and decryption operations. Brakerski et al. [2] and Smart et al. [32] proposed an optimization technique for HE and decryption over an array of plain-texts instead of a single plain-text at a time. This technique uses the Chinese Remainder Theorem (CRT) [31] and factorizes any plain-text ring R_f into a product of many small prime factors where \(f={\prod }^{t}_{i=1}f_{i}\), where f₁, f₂, ....., f_t are distinct prime numbers.

6.1 Chinese remainder theorem (CRT)

In this section, a brief overview about CRT is introduced as given in [31]: Given n₁, n₂,....,n_t, t integers greater than 1 and N = n₁ × n₂ × .... × n_t the product of the n_i. The CRT asserts that if the n_i are pairwise co-prime and if a₁, a₂,...., a_t are t integers such that 0 ≤ a_i ≤ n_i for every i, then there is one and only one integer x, such that 0 ≤ x < N and the remainder of the Euclidean division of x by n_i is a_i for every i.

The CRT can be written in term of congruence’s: If the n_i are pairwise co-prime, and if a₁, a₂,..., a_t are any integers, then there exist integers x such that:

$$ \begin{array}{llll} x \equiv a_{1} \quad (mod \quad n_{1})\\ x \equiv a_{2} \quad (mod \quad n_{2})\\ {\vdots} \quad \quad \quad \quad \\ x \equiv a_{t} \quad (mod \quad n_{t}) \end{array} $$

(34)

Any given two solutions, for example x₁ and x₂, are congruent modulo N (i.e x₁ ≡ x₂ (mod N)) CRT enables homomorphic operations, since having two integers x and y in N that verify the two following relations:

$$ \begin{array}{@{}rcl@{}} x \equiv a_{1} \quad (mod \quad n_{1}) \quad \quad \quad y \equiv b_{1} \quad (mod \quad n_{1})\\ x \equiv a_{2} \quad (mod \quad n_{2}) \quad \quad \quad y \equiv b_{2} \quad (mod \quad n_{2})\\ {\vdots} \quad \quad \quad {\vdots} \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad {\vdots} \quad \quad \quad \vdots\\ x \equiv a_{t} \quad (mod \quad n_{t}) \quad \quad \quad y \equiv b_{t} \quad (mod \quad n_{t}) \end{array} $$

Both addition and multiplication properties are simply verified:

$$ \begin{array}{@{}rcl@{}} x+y \equiv (a_{1}+b_{1})\quad (mod \quad n_{1}) \quad \quad \quad \quad x \times y \equiv (a_{1} \times b_{1})\quad (mod \quad n_{1})\\ x+y \equiv (a_{2}+b_{2})\quad (mod \quad n_{2}) \quad \quad \quad \quad x \times y \equiv (a_{2} \times b_{2})\quad (mod \quad n_{2})\\ {\vdots} \quad \quad \quad {\vdots} \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad \quad {\vdots} \quad \quad \quad \vdots\\ x+y \equiv (a_{t}+b_{t})\quad (mod \quad n_{t}) \quad \quad \quad \quad \quad x \times y \equiv (a_{t} \times b_{t})\quad (mod \quad n_{t}) \end{array} $$

6.2 HHSES under CRT

In order to enhance the HHSES efficiency, the latter scheme is implemented under CRT as follows:

1. 1.

   Security Parameters:

   1. (a)

      λ: security parameter, based on the security level.

   2. (b)

      t: CRT’s number of equations.

   3. (c)

      ψ_i, 1 ≤ i ≤ t: t secret co-primes pairwise modulus (ψ₁,ψ₂,....,ψ_t) are generated such that \(\psi _{i}=random\_prime(2^{high\_bound}, 2^{low\_bound})\).

   4. (d)

      ψ: global secret modulus given by the product of the t(ψ_i) (i.e. ψ = ψ₁ × ψ₂ × .... × ψ_t).

   5. (e)

      N_i, 1 ≤ i ≤ t: t RSA ring modulus are generated (N₁,N₂,..,N_t).

   6. (f)

      Ψ_i: t public modulus where Ψ_i = ψ_i × N_i, where i ∈{1,2,3,..,t}.

   7. (g)

      Ψ: global public modulus is given by the product of t public modulus Ψ_i. (i.e. Ψ = Ψ₁ ×Ψ₂ × .... ×Ψ_t)

   8. (h)

      r_i, 1 ≤ i ≤ t: t invertible secret keys respectively in the public rings \(\mathbb {Z}_{{\Psi }_{i}}.\)

   9. (i)

      K_i, 1 ≤ i ≤ t: t invertible secret matrices respectively in the public rings (i.e \(K_{i}=(k^{i}_{j,h} \in \mathbb {Z}_{{\Psi }_{i}}\)) generated as given in Section 3.1.1.

   10. (j)

       d: Cipher-text dimension is kept the same as given in Section 3.1.1.

2. 2.

   Encryption Procedure: the computation with respect to the different secret modulus (ψ₁,ψ₂,...,ψ_t) are independent of each and hence encryption can be implemented in parallel as given in Fig. 16.

3. 3.

   Decryption Procedure: similar to the parallel encryption procedure given in Fig. 16, decryption can also be implemented in parallel as given in Fig. 17.

4. 4.

   Implementations: to validate the correctness of the HHSES under CRT for both encryption and decryption procedures, different implementations are done under Python using SageMath library. A personal laptop having the following specifications: OS Ubuntu 14.04, RAM 3.9 GB, Processor Intel Core i7 − 8550U CPU @ 1.8 GHZ, 64 bit, Disk 24.1 GB is used. For parallel processing, the multiprocessing pool of threads available in Python is adopted. In the following implementations, security parameter λ is taken equal to 10, t the number of CRT equations is taken equal to 6. Thus, 6 secret modulus ψ_i such that 1 ≤ i ≤ 6 are generated as random primes between 2⁵⁰⁰ and 2¹⁰⁰ (high_bound = 500 and low_bound = 100). Since 6 CRT equations are present, 6 processors are mandatory to implement the 6 processes of encryption and decryption in parallel to achieve the required optimization.

   Different results of optimization are given as follow:

   1. (a)

      Encryption’ Optimization: in Fig. 18, the mean execution time for 40 iterations of HHSES encryption procedure with and without CRT are respectively calculated. In the related implementation, DF dimension d is taken 50 and the plain-text message size is varied from 10 to 30 with a step equal to 5. By examining the obtained result in Fig. 18, one can see that the parallel processing decreases the execution time of encryption efficiently where 𝜖 represents the relative enhancement of the encryption procedure with CRT with respect to the encryption procedure without CRT as given below:

      $$ \epsilon=\displaystyle{\frac{Execution\_time\_with\_CRT - Execution\_time\_without\_CRT}{Execution\_time\_with\_CRT}} $$

      (35)

      While varying the plain-texts message size from 10 till 30 with a step equal to 5, 𝜖’s values increase respectively as follows: 0.166303856595, 0.3495, 0.4803, 0.51203 and 0.5895.

      Figure 19 illustrates the same contribution for HHSES under CRT but with DF dimension d = 60.

   2. (b)

      Decryption’s Optimization: in Fig. 20, the mean execution time for 40 operations of decryption by taking d = 50 are illustrated. The plain-text message size is also varied from 10 to 30 with a step equal to 5. By examining different values of 𝜖, it is obvious that decryption is also reduced efficiently using the parallel processing implementation since 𝜖’s values are increasing with the increase of the plain-texts message size as follows: 0.24027130944, 0.385004909377, 0.4572527777372, 0.500034926174 and 0.549887710517.

      Fig. 16

      

      Proposed HHSES parallel encryption scheme

      Fig. 17

      

      Proposed HHSES parallel decryption scheme

      Fig. 18

      

      Variation of HHSES encryption execution time with and without CRT for d = 50 (Parallel Processing)

      Fig. 19

      

      Variation of HHSES encryption execution time with and without CRT for d = 60 (Parallel Processing)

      Fig. 20

      

      Variation of HHSES decryption execution time with and without CRT for d = 50 (Parallel Processing)

      Figure 21 also illustrates the same contribution for HHSES under CRT with DF dimension d = 60.

Fig. 21

Variation of HHSES decryption execution time with and without CRT for d = 60 (Parallel Processing)

An overall evaluation for both encryption and decryption optimization procedures leads us to conclude that with the increase of the plain-text message size, the relative enhancement 𝜖 tends to be close to 0.5. Hence, the proposed optimization improves twice the efficiency in implementation in terms of execution time.

7 Conclusion and future work

In this paper, we have designed the first fully symmetric HE scheme that resists the known plain-text/cipher-text attacks. As far as we know this is the first work in this direction. The new scheme is referred to as Homomorphic Hybrid Symmetric Encryption Scheme (HHSES). HHSES is based on mixing the homomorphic behavior of two well known symmetric encryption schemes, which are the MORE approach and the DF scheme. Different implementations and performance evaluations have shown that the new scheme (HHSES) is a good candidate in comparison to the well known symmetric (MORE, PORE and DF) and asymmetric (BGV and DGHV) encryption schemes. Security tests have shown that the new variant presents a high immunity against several types of attacks such as statistical attacks and related key attacks. The scheme also fulfills some important properties such as uniformity, in-dependency, and the avalanche effect. Theoretical crypt-analysis has shown that the scheme is robust against the known plain-text/cipher-text attacks even with the lowest possible dimension (d = 2), while other symmetric schemes (MORE, PORE and DF) are sensitive to this type of attacks. Another contribution in this work is optimizing the HHSES encryption and decryption procedures under CRT using parallel processing. The correctness of the optimization is also validated by the implementation. In conclusion, HHSES is a new efficient, robust, and practical symmetric HE scheme that can be adopted as a secure solution for a wide range of emerging and future applications. For future work, we will design a symmetric fully homomorphic message authentication to achieve data integrity and source authentication security services.

Appendices

Appendix A:: Invertible Secret Matrix Generation

Different Steps for generating the invertible matrix K in [12] are given by the following: Starting from a matrix

$$ k =\begin{bmatrix} a&b\\ c&d\\ \end{bmatrix} $$

its corresponding determinant Det(k) = ad − bc, assume that Det(k) = ad − bc = 1 and a = d. Under the conditions listed above we have: a² − bc = 1, so bc = a² − 1 = (a + 1)(a − 1), than we can write b = a + 1 and c = a − 1. As a result, the matrix k is given by the following form:

$$ k =\begin{bmatrix} a& a+1\\ a-1&a\\ \end{bmatrix} $$

(36)

Since Det(k) = 1, the matrix k is obviously invertible, and k^− 1 is

$$ k^{-1} =\begin{bmatrix} a&-(a+1)\\ -(a-1)&a\\ \end{bmatrix} $$

(37)

If the parameter a is replaced by sub matrix A, we get

$$ K =\begin{bmatrix} A& A+I\\ A-I&A\\ \end{bmatrix} $$

(38)

where I and A are the identity matrix and a non-zero matrix of size n/2 respectively. Additionally, the elements of A can be freely chosen from any Galois field such that K is full rank. However, having a matrix K constructed from four sub-matrices (A,B,C and D), \( K=\begin {bmatrix} A& B\\ C&D\\ \end {bmatrix}\), the inverse of this matrix when A = D, B = A + I and C = A − I can be proven since the determinant of K is given by:

$$ \begin{array}{lll} Det(K)&=&Det(A)\times Det(D-CA^{-1} B)\\ &=& Det(A)\times Det(A-(A-I) A^{-1} (A+I) )\\ &=& Det(A)\times Det(A-(I-A^{-1})(A+I) )\\ &=& Det(A)\times Det(A-(A+I-I-A^{-1} ) )\\ &=& Det(A)\times Det(A^{-1} )\\ &=& Det(A)\times \frac{1}{Det(A)}\\ &=&1 \end{array} $$

(39)

Since Det(K) = 1, the matrix K is always invertible and its inverse integer matrix K^− 1 is:

$$ K^{-1} =\begin{bmatrix} A& -A-I\\ -A+I&A\\ \end{bmatrix} $$

(40)

As a result, building a secret invertible matrix K of dimension n × n, where n is always even is done by selecting a nonzero random sub matrix A of dimension n/2, and by applying the matrix forms listed respectively in (38) and (40), K and K^− 1 are obtained.

Appendix B: Attack on the Invertible Matrix Model

The vulnerability detected by the authors of [34] resides in using (38) while creating the invertible secret key K. As explained previously in Appendix A, the invertible matrix K has the following form: \(\begin {bmatrix} A& A+I\\ A-I&A\\ \end {bmatrix}\) wheredim(K) is[n × n] and \(dim(A)=dim(I)=\displaystyle {[\frac {n}{2} \times \frac {n}{2}]}\), thus the attack is based on the the two following principles:

1. 1.

   Principle 1: the attacker does not know the matrix A, but given a plain-text vector m = [m₁,m₂,....,m_n] with its corresponding cipher-text matrix C of dimension [n × n], he knows that the eigen-vector of C associated to the i^th plain-text m_i has the following form: \( \begin {bmatrix} A(i) \\-A(i)+e_{i} \end {bmatrix}\) for \(\displaystyle {1 \leq i \leq \frac {n}{2}}\) and \( \begin {bmatrix} -A(\displaystyle {i-\frac {n}{2}}) -\displaystyle {e_{i -\frac {n}{2}}} \\A(\displaystyle {i-\frac {n}{2}}) \end {bmatrix}\) for \(\displaystyle {\frac {n}{2} < i \leq n}.\)

2. 2.

   Principle 2: setting C_1,1, C_1,2, C_2,1 and C_2,2 four sub-matrices of \(C=\begin {bmatrix} C_{1,1}, C_{1,2}\\ C_{2,1} C_{2,2} \end {bmatrix}\), the attacker can deduce the following equalities for \(\displaystyle {1 \leq i \leq \frac {n}{2}}\) and \(\displaystyle {\frac {n}{2} < j \leq n}\):

   $$ \begin{bmatrix} C_{1,1}, C_{1,2}\\C_{2,1},C_{2,2} \end{bmatrix}. \begin{bmatrix} A(i)\\ -A(i)+e_{i} \end{bmatrix}=m_{i}.\begin{bmatrix} A(i)\\ -A(i)+e_{i} \end{bmatrix} $$

   (41)
   $$ \begin{bmatrix} C_{1,1}, C_{1,2}\\C_{2,1},C_{2,2} \end{bmatrix}. \begin{bmatrix} -A(\displaystyle{j-\frac{n}{2}}) -\displaystyle{e_{j -\frac{n}{2}}} \\A(\displaystyle{j-\frac{n}{2}}) \end{bmatrix}=m_{j}.\begin{bmatrix} -A(\displaystyle{j-\frac{n}{2}}) -\displaystyle{e_{j -\frac{n}{2}}} \\A(\displaystyle{j-\frac{n}{2}}) \end{bmatrix} $$

   (42)

By linearizing the two (41) and (42) and setting up \(j=i+\displaystyle {\frac {n}{2}}\), the attacker can build the following relation given by:

$$ (-C_{1,1}+C_{1,2}-C_{2,1}+C_{2,2})=(m_{i}-m_{i+\frac{n}{2}}).e_{i} $$

(43)

Let D = (−C_1,1 + C_1,2 − C_2,1 + C_2,2). It is clear that for every \(1 \leq i \leq \displaystyle {\frac {n}{2}}\), the i − th column of D is the i − th canonical vector multiplied by a difference of two eigen-values of C. Thus the matrix D, that can be computed using only one cipher-text, is a diagonal matrix, whose entries leak differences of eigen-values of C.

Revealing a plain-text vector, in this case, is given by the following steps:

1. 1.

   Step1: let δ_i = D(i,i) denotes the i − th entry on the diagonal of D.

2. 2.

   Step2: let the characteristic polynomial p(x) = CharPoly(C)(x) of the cipher-text C.

3. 3.

   Step3: given that the roots of p(x) are the elements of the plain-text vector m, the attacker defines n new polynomials p_−i(x) and p_i(x) for \(\displaystyle {1\leq i \leq \displaystyle {\frac {n}{2}}}\) as p_−i(x) = p(x − δ_i) and p_i(x) = p(x + δ_i)

4. 4.

   Step 4: for any \(1 \leq i \leq \displaystyle {\frac {n}{2}}\), m_i must be a root of p_−i(x), Thus m_i will also be root of gcd(p(x),p_−i(x)).