HiveBrain v1.2.0
Get Started
← Back to all entries
patternMinor

Partially homomorphic encryption (on addition modulo N) not based on prime factorization

Submitted by: @import:stackexchange-cs··
0
Viewed 0 times
encryptionprimeadditionhomomorphicpartiallybasednotmodulofactorization

Problem

A cryptographic function is homomorphic on some operation if that operation is preserved in the encrypted data.

Such a function is homomorphic on addition modulo if the following holds for some cryptographic function $E$:

$
E(x)\cdot E(y) = E(x+y\mod N)
$

and on xor:

$
E(x)\cdot E(y) = E(x \oplus y)
$

This is called a partially homomorphic encryption.

Such schemes are described on the Wikipedia page:

http://en.wikipedia.org/wiki/Homomorphic_encryption

However, all the partially homomorphic schemes on XOR and addition modulo are based on prime factorization.

Are there partially homomorphic encryption methods on XOR or addition modulo that do not are not based on prime factorization (other than the fully homomorphic system proposed by Gentry based on lattice cryptography).

This paper by Mykletun, Girao and Westhoff suggests the El-Gamal method:

http://citeseerx.ist.psu.edu/viewdoc/download;jsessionid=99E3442A4CF314F9AF334969DF9C7974?doi=10.1.1.61.5322&rep=rep1&type=pdf

Solution

Typical ElGamal is homomorphic with respect to multiplication. You can get an additively-homomorphic variant by encrypting $g^m$ instead of $m$. When you decrypt, however, you will get back $g^m$, not $m$. Therefore, you have to solve a discrete log to get $m$ back. This is feasible if we place certain restrictions on $m$ (e.g., the space from which $m$ is drawn is small enough to brute-force the discrete log). Security of ElGamal relates to solving discrete logs.

You can get an elliptic curve variant of ElGamal by using an elliptic curve group instead of a multiplicative group of integers modulo some number. This will get you an additively homomorphic cipher without the need to solve discrete logs. Security of this cipher would relate to solving discrete logs in the elliptic curve group.

I am not aware of alternatives for XOR.

Context

StackExchange Computer Science Q#28921, answer score: 5

Revisions (0)

No revisions yet.