Database Query Privacy Using Homomorphic Encryptions

Sudharaka Palamakumbura and Hamid Usefi{sudharakap, usefi} @ mun.ca

Memorial University of Newfoundland

Database Query Privacy Using Homomorphic Encryptions

Sudharaka Palamakumbura and Hamid Usefi{sudharakap, usefi} @ mun.ca

Memorial University of Newfoundland

Usefulness of Fully Homomorhpic Encryption• Suppose Alice wants to give her data to Bob to perform a certain calculation.

•Alice does not trust Bob but has a Fully Homomorphic Encryption scheme with privatekey sk and public key pk.

c1 = Encpk(x1),

c2 = Encpk(x2),

c3 = Encpk(x3)

c1 × (c2 + c3)

Decsk(c1 × (c2 + c3)) = x1 × (x2 + x3)

AliceBob

c1 × (c2 + c3)

DGVH SchemeLet λ be the security parameter and set, N = λ, P = λ2 and Q = λ5. The scheme isbased on the following algorithms;

•KeyGen(λ): The key generation algorithm which randomly chooses a P -bit integer pas the secret key.

•Enc(m, p): The bit m ∈ {0, 1} is encrypted by

c← m′ + pq

where m′ = m (mod 2) and q, m′ are random Q-bit and N -bit numbers respectively.

Gahi’s Method for Query Privacy

•Bob now has a list of sequences.

r Database Records Ir Sr

1 (1, 1, 0, 0, 0) Enc(p, 1) Enc(p, 1)2 (1, 0, 1, 0, 0) Enc(p, 0) Enc(p, 1)3 (1, 1, 0, 0, 0) Enc(p, 1) Enc(p, 2)4 (1, 1, 0, 1, 0) Enc(p, 0) Enc(p, 2)5 (1, 0, 0, 0, 0) Enc(p, 0) Enc(p, 2)

5∏

i=1

(1 + vi + ci)

Sr =∑

i≤rIr

I ′r,j = Ir

5∏

i=1

(1 + ji + Sr,i)

(I ′1) = (Enc(p, 1))(I ′2) = (Enc(p, 0),Enc(p, 0))

(I ′3) = (Enc(p, 0),Enc(p, 1),Enc(p, 0))(I ′4) = (Enc(p, 0),Enc(p, 0),Enc(p, 0),Enc(p, 0))

(I ′5) = (Enc(p, 0),Enc(p, 0),Enc(p, 0),Enc(p, 0),Enc(p, 0))

Generalization of Gahi’s Method•Recall that in Gahi’s method we used the expression,

5∏

i=1

(1 + vi + ci)

to calculate the Ir values corresponding to each record.

•We replace this expression by,

Fi =

∏j 6=i Enc(h,m−Rj)∏k 6=i Enc(h,Ri −Rk)

where Rj denotes the j-th record in the database, m is the plaintext message and h isthe public key.

•Bob calculates the sequence (F ′i,k)5k=1 corresponding to each record as follows.

F ′r,k = Fr

(∏j 6=k (Sr − Enc(h, j))

Enc(h,∏j 6=k(k − j))

)for all k ≤ r

•Therefore,

F ′r,k =

Enc(h, 1) if Fr = Enc(h, 1) and Sr = Enc(h, k),

Enc(h, 0) Otherwise.

Fully Homomorphic Encryption

•Homomorphic with respect to two operations (ex: Addition and Multiplication).

•The idea was first proposed by Ronald Rivest, Len Adleman and Michael Dertouzos in1978.

•A scheme E with an efficient algorithm EvaluateE such that, for any valid public key pk,any circuit C, and any ciphertexts ψi← EncryptE(pk, πi) outputs

ψ ← EvaluateE(pk, C, ψ1, . . . , ψt)

where ψ is a valid encryption of C(ψ1, . . . , ψt) under pk.

Gahi’s Method for Query Privacy

•By calculating the multiplication,5∏

i=1

(1 + vi + ci) =

Enc(1) if c = Enc(v),

Enc(0) Otherwise.

(c1, c2, c3, c4, c5)

“Query”→ (m1,m2,m3,m4,m5)

AliceBob

(v1, v2, v3, v4, v5)

(m1,m2,m3,m4,m5)DGHV−−−−→ (c1, c2, c3, c4, c5) Calculates

5∏

i=1

(1 + vi + ci)

Finally.....Finally Alice can decrypt the results to get the exact records that she searched for.

(c1, c2, c3, c4, c5)

“Query”→ (1, 1, 0, 0, 0)

Alice

Bob

(1, 1, 0, 0, 0)DGHV−−−−→ (c1, c2, c3, c4, c5)

∑

r

Ir

Dec

(∑

r

Ir, sk

)= 2

(Enc(R1),Enc(R3))

Generalization of Gahi’s MethodBob now has a list of sequences as before.

Sr =∑

i≤rFi

(F ′1) = (Enc(h, 0))(F ′2) = (Enc(h, 0),Enc(h, 0))

(F ′3) = (Enc(h, 0),Enc(h, 1),Enc(h, 0))(F ′4) = (Enc(h, 0),Enc(h, 0),Enc(h, 0),Enc(h, 0))

(F ′5) = (Enc(h, 0),Enc(p, 0),Enc(h, 0),Enc(h, 0),Enc(h, 0))

Fi =

∏j 6=i (Enc(h,m)− Enc(h,Rj))

Enc(h,∏

k 6=i (Ri −Rk))

F ′r,k = Fr

(∏j 6=k (Sr − Enc(h, j))

Enc(h,∏

j 6=k(k − j))

)

r Database Records Fi Sr

1 R1 = m Enc(h, 1) Enc(h, 1)2 R2 6= m Enc(h, 0) Enc(h, 1)3 R3 = m Enc(h, 1) Enc(h, 2)4 R4 6= m Enc(h, 0) Enc(h, 2)5 R5 6= m Enc(h, 0) Enc(h, 2)

Drawbacks

• Enormous number of operations due to DGHVschemes inherent bitwise nature.

•Restricted to DGHV scheme and it’s underlyingstructure. The protocol cannot be directly usedwith any other fully homomorphic encryptionscheme.

• Thereby we propose an alternative method whichimproves (or generalizes) Gahi’s method andcould be used with any fully homomorphic en-cryption scheme.

Advantages and Disadvantages

•Not restricted to DGHV scheme. Can be used with other fully homomorphic encryption schemes.

•Not dependent upon bitwise encryption. Can be used with block based fully homomorphic encryption schemes.

– Zvika Brakerski’s Fully Homomorphic Encryption Scheme based on the Ring LWE problem,

– Jean Coron’s Batch Fully Homomorphic Encryption Scheme over the Integers.

•Our scheme involves homomorphic division which might not be practical.