See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/308277139

Paillier's encryption: Implementation and cloud applications

Conference Paper · October 2015

DOI: 10.1109/ARCSE.2015.7338149

CITATIONS READS
21 3,653

3 authors:

Mohamed Nassar Abdelkarim Erradi

American University of Beirut Qatar University
79 PUBLICATIONS   424 CITATIONS    87 PUBLICATIONS   624 CITATIONS   

SEE PROFILE SEE PROFILE

Qutaibah M. Malluhi
Qatar University
99 PUBLICATIONS   1,357 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Final Year Project Spring 2019 (shoplifting smart stores) View project

Data management in the cloud View project

All content following this page was uploaded by Mohamed Nassar on 09 March 2018.

The user has requested enhancement of the downloaded file.

 Paillier’s Encryption: Implementation and Cloud
Applications
Mohamed Nassar, Abdelkarim Erradi, Qutaibah M. Malluhi
KINDI Center for Computing Research
Qatar University
Doha, Qatar
Emails: meb.nassar@gmail.com — erradi@qu.edu.qa — qmalluhi@qu.edu.qa
Abstract—Paillier’s additive homomorphic encryption is in-
creasingly used in recent research in the field of cloud secure
outsourcing and privacy-preserving computation in addition to
other cryptographic tools such as garbled circuits. In this paper,
we review Paillier’s encryption and its application to privacy-
preserving computation outsourcing and secure online voting. We
present a new implementation of Paillier’s cryptosystem using
Python as for interface language and fast GMP C-routines for
arithmetic operations.
Index Terms—Security and privacy, Privacy-preserving proto-
cols, Paillier’s cryptosystem, Cloud Computing.
I. I NTRODUCTION
Cloud computing unlocks unpreceded opportunities for out-
sourcing of storage and computation. It offers flexibility and
cost saving, but the risk of being exposed to privacy and
security issues retains a lot of customers from risking their
sensitive data to the cloud. Recent research focuses on lever-
aging cryptographic techniques to enable privacy-preserving
in the cloud settings. In this paper we review homomorphic
encryption and present an efficient implementation of the
Paillier’s additive homomorphic encryption. We then review
promising cloud applications that may get enabled by these
techniques.
A. Fully homomorphic encryption
A cryptosystem which supports both addition and multipli-
cation (thereby preserving the ring structure of the plaintexts)
is known as Fully Homomorphic Encryption (FHE). FHE
effectively allows the construction of programs which may be
run on encryptions of their inputs to produce an encryption of
their output. Since such a program never decrypts its input, it
can be run by an untrusted party without revealing its inputs
and internal state. This would have great practical implications
in the outsourcing of private computations, for instance, in the
context of cloud computing.
In 2009 an IBM cryptographer named Craig Gentry wrote
a PhD dissertation describing a solution to homomorphic
encryption based on Lattice cryptography. Unfortunately it had
a drawback, Gentry estimates that performing a Google search
with encrypted keywords - a perfectly reasonable simple
application of this algorithm - would increase the amount of
computing time by about a factor of trillion [5].
Gentry had what amounted to an existence proof, showing
that homomorphic encryption could no longer be considered
impossible, but he didn’t have a practicable real-world imple-
mentation of the concept [4].
Since then, IBM just released an open source software
package called HELib. Although it doesn’t sound terribly
practical, HELib is actually an interesting and important mile-
stone in cryptography. HElib is currently available as an im-
plementation of the Brakerski-Gentry-Vaikuntanathan (BGV)
scheme, along with many optimizations to make homomorphic
evaluation runs faster, focusing mostly on effective use of
the Smart-Vercauteren ciphertext packing techniques and the
Gentry-Halevi-Smart optimizations. At its present state, this
library is mostly meant for researchers working on HE and its
uses. Also currently it is fairly low-level, and is best thought
of as ”assembly language for HE”. That is, it provides low-
level routines (set, add, multiply, shift, etc.), with as much
access to optimizations as possible. The authors do not have
an implementation of bootstrapping, hence so far they can
only support ”leveled” HE, where the parameters must be set
large enough to evaluate the desired functionality. The library
is written in C++ and uses the NTL mathematical library. It is
distributed under the terms of the GNU General Public License
(GPL) [3].
B. Can homomorphic encryption be practical?
Somewhat homomorphic encryption schemes, which sup-
port a limited number of homomorphic operations, can be
much faster, and more compact than fully homomorphic
encryption schemes. For example, Boneh-Goh-Nissim scheme
[10] supports unlimited number of addition operations but at
most one multiplication. For some applications, it is enough
to consider an implementation of a ”somewhat homomorphic
encrytion” (SHE) scheme, namely, one which allows a fixed
number of multiplications of ciphertexts. For these functions, it
suffices to have a somewhat homomorphic encryption system
which computes many additions and a small number of mul-
tiplications on ciphertexts: for example, averages require no
multiplications, standard deviation requires one multiplication,
and predictive analysis such as logistical regression requires
a few multiplications (depending on the required precision).
The authors in [17] propose a SHE scheme and provide an
implementation based on the Magma library.
C. Partially homomorphic encryption
Partially homomorphic encryption schemes are simpler and
support only one kind of computation. However they are more
practical and have a wide range of applications ranging from
secure voting and collision resistant hash functions to private
information retrieval and secure computation on the cloud.
Some of these systems are:
• Unpadded RSA: In an RSA schema with modulus m and
exponent e: E[x] = xe mod m
E[x].E[y] = xe .y e mod m = (xy)e mod m = E[x.y]
• ElGamal encryption [13]
• Goldwasser-Micali [14]
• Benaloh [7]
• Paillier: In a Paillier schema with modulus m and base g,
the encryption of a message x using a random number r
is: E[x] = g x .rm mod m2
E[x].E[y] = (g x .r1m mod m2 ).(g y .r2m mod m2 )
= g (x+y) .(r1.r2)m mod m2 = E[x + y]
In this paper we mainly focus on Paillier’s cryptosystem.
D. CryptDB
Another approach proposed by MIT is to avoid full ho-
momorphic encryption, and instead piece together existing
partial homomorphic encryption schemes that get the job done.
The RSA scheme, for instance, lets you multiply encrypted
numbers, and the Paillier scheme lets you add them [2]. Their
system CryptDB is able to switch between crypto systems on
the fly depending on the operation. The data in the database is
encrypted in multiple layers of different encryption, what the
researchers call an ”onion” of encryption. Every layer allows
different kinds of computation and has a different key. ”You
just strip off the levels of the onion until you reach the level
that allows a certain operation” [1].
E. Paillier’s cryptosystem
Paillier’s homomorphic encryption [18] possesses the fol-
lowing properties:
1) It’s a public key scheme, which means encryption can be
performed by anyone who knows the public key, while
decryption can only be done by the matching private
key, known only to a trusted party.
2) It is probabilistic. In other words it is impossible for an
adversary to tell whether two ciphertexts are encryptions
of the same plaintext or not.
3) It possesses the homomorphic properties for addition, in
particular:
Epk [(m1 + m2 )]mod N = Epk [m1 ].Epk [m2 ]mod N 2
Epk [(a.m1 )]mod N = Epk [m1 ]a mod N 2
Where m is the modulus of the encryption and a part of
the public key. Note that the sign ”=” above stands for
equivalence and not equality. The key generation scheme can
be summarized as follows:
• Choose two large prime numbers p and q such that
gcd(p.q, (p − 1).(q − 1)) = 1. This property is assured if
p and q are of equal bit length s.
• Compute n = p.q and λ = lcm(p − 1, q − 1)
∗
• Select random integer g from Zn2
• Ensure n divides the order of g by checking the ex-
istence of the following modular multiplicative inverse:
µ = (L(g mod n2 ))−1 mod n where L(u) is the quotient
of the Euclidean division of (u − 1)/n. (The order of g
is a where g a = 1 mod n2 )
• The public encryption key is g and n
• The private encryption key is µ and λ
The message encryption can then be performed using the
following operations:
• Let m be a message to be encrypted from Zn
∗
• Select random r from Zn
m n 2
• Compute ciphertext as: E[m] = c = g .r mod n
The decryption is essentially one exponentiation modulo n2 :
λ 2
• m = L(c mod n ).µ mod n
The decryption is based on the fact that some discrete loga-
rithms can be computed easily, for example if g is chosen as
g = n + 1 then L(g x )mod n2 = x mod n. A proof can be
obtained using the binomial theorem.
II. I MPLEMENTATION
We implemented a Python Library for Paillier’s Encryption
using gmpy2 for arithmetic operations. Gmpy2 is a C-coded
Python extension module that supports GMP and MPIR for
multiple-precision integer and rational arithmetic. We used a
special case of Paillier’s cryptosystem where:
• p and q are two primes of equivalent bit length,
• n = p.q
• g =n+1
• λ = φ(n)
(−1)
• µ = φ(n) mod n, where φ(n) = (p − 1).(q − 1).
The code is available at:
https://github.com/mnassar/paillier-gmpy2.
The main functions of the library are the following:
• generate prime(bits): generate an integer of bits bits that
is prime.
• generate key pair(bits): generate a key pair (pub, priv).
• encrypt(pub, plain): encrypts a plain text into a cipher
text.
• e add (pub, a, b): adds cipher text a to cipher text b to
get equivalent to E[a+b]
• e add const(pub, a, k): adds constant k to cipher text a
to get equivalent to E[a+k]
• e mult const(pub, a, k): multiplies cipher text a by a
constant k to get equivalent to E(k.a)
• decrypt (priv, pub, cipher): decrypts a cipher text.
The Table I compares our implementation to two other publicly
available implementations: the first one is purely implemented
in Python by Ivanov1 . The second one belongs to the project
Charmcrypto 2 . Each operation is run 100 times over random
operands and averaged timing is recorded. Results for key bit
size of 1024 show that our implementation clearly wins in
terms of performance.
We noticed a bug in the CharmCrypto implementation when
it comes to add a cipher and a small constant which makes
this operation very slow. Ivanov’s implementation is slower
even for smaller key sizes (256 bits). One reason is that it
implements in Python the Rabin Miller tests for probabilistic
primality. The same tests (in addition to other probabilistic
primality tests) are more efficiently implemented in gmpy2.
It also has a pitfall in the encrypt function since it selects
r as prime whereas r should be simply any random number.
We also tested the implementation in Java at (http://www.csee.
umbc.edu/∼kunliu1/research/Paillier.html) which uses efficient
BigInteger operations. Yet our implementation is still faster.
A snapshot demonstration of the tool is shown next:
print "Generating keypair... %d bits" % 512
priv, pub = generate_keypair(512)
x = 3
print "x =", x
print "Encrypting x..."
cx = encrypt(pub, x)
print "cx =", cx
y = 5
print "y =", y
print "Encrypting y..."
cy = encrypt(pub, y)
print "cy =", cy
print "Computing cx + cy..."
cz = e_add(pub, cx, cy)
print "cz =", cz
print "Decrypting cz..."
z = decrypt(priv, pub, cz)
print "z =", z
print "Computing decrypt((cz + 2) * 3) ..."
print "result =", decrypt(priv, pub,
e_mul_const(pub, e_add_const(pub, cz, 2), 3)))
An example of the console output is shown next:
Generating keypair... 512 bits
x = 3
Encrypting x...
cx = 24148460559965448239440010474169876
9523128588404936868364740951368539577592
4854185177705039395875494653335119750755
0922812602265630972149773817347945663580
9859705785423142009355735527804599247883
2087574916354886090361100317287328963957
5569359162295583234645018557870043601559
577866979283970516840086083400544
y = 5
1 https://github.com/mikeivanov/paillier
2 http://charm-crypto.com/Main.html
Encrypting y...
cy = 97081544093390150728869885586228545
1369841827765551150500391490377035465968
0482316733311049884205539922689705215385
0374589969365200477564944053786519437515
3749359600359144008233141421535464414707
1815970116090881180961224654076376680013
7512053539938269744248820484024639256671
08081220622126132163963751881776
Computing cx + cy...
cz = 39039445660199142413184535700706829
7556570600927385126694898607888402209218
9351376124217180113025079327259288493388
8020323565051677520139318593495764796946
2432729685233299717545665037769518500640
1429720334205811061674374581417289168145
3746218869117226676399668935521560747011
552846909584834583418805159174803
Decrypting cz...
z = 8
Computing decrypt((cz + 2) * 3) ...
result = 30
III. S ELECTED A PPLICATIONS
A. Secure voting and homomorphic counters
Secure online voting has many practical constraints. It
must ensure the verification of the results (also known as
the integrity property) and in the same time deny any match
between the votes and the corresponding voters (also known
as the ballot secrecy property). In addition it must prevent
cheating from the voters such as double voting or pretend-
ing a vote without actually casting it. All these constraints
make secure online voting a difficult task to tackle if not an
impossible one. Actually many researchers argue that relying
solely on technological solutions (either online or offline)
without physical redundancy such as tally papers would be
risky and unreliable [11]. However, much research work strives
for anonymous and scalable voting system based on additive
homomorphic encryption and other cryptographic tools such as
mix nets (e.g. [6], [15]). This research resulted in many online
systems offering verifiable online elections such as Helios
(https://vote.heliosvoting.org/). Researchers have also shown
that many online voting systems are vulnerable [23].
B. DNA profile matching
In [12] the authors address a multitude of DNA tests such
as identity, ancestry and paternity tests based on Short Tandem
Repeat (STR) profiles. An STR profile is composed of a
number of loci and for each locus the number of repetitions
for a given repeat structure. The authors translate each test
into an algebraic expression and provide an additive homomor-
phic encryption scheme allowing two semi-honest parties to
compare their stored profiles in a semantically secure manner.
The proposed approach allows to obtain exact or approximate
matches within a small error interval as practically required
by the tests.
 TABLE I
C OMPARISON OF AVERAGE TIME ( MS ) OF OUR TOOL VERSUS OTHER TOOLS

Time paillier-gmpy2 (1024) paillier-Ivanov (256) paillier-Charm (1024)

(ms) (Our tool)
key generation 34.00 152.00 585.00
encryption 1602.00 48744.00 7917.00
decryption 1567.00 193.00 7290.00
add ciphers 2.00 1.00 9.00
add cipher and constant 56.00 6.00 7755.00
multiply cipher and constant 53.00 29.00 136.00

Kantarcioglu et. al. [16] consider a framework where Single demonstrate that shape-based image feature extraction, a par-
Nucleotide Polymorphism (SNP) sequences coming from sev- ticularly computationally intensive task, can be carried out by
eral hospitals are encrypted and stored at a data storage site, presenting two schemes for doing so, and demonstrating their
and biomedical researchers are able to submit queries to this viability by experimentally evaluating them.
site. The query processing must deal with encrypted data. The
authors propose a protocol for aggregate counting queries over E. Matrix algebra
the encrypted database which is particularly interesting for
Benjamin and Atallah have proposed a secure outsourcing
privacy-preserving statistical analysis. Their scheme is based
framework for matrix multiplication using two servers and
on a binary storage scheme where each SNP letter has a binary
homomorphic encryption on the servers [8].
representation over two bits and each bit is encrypted using
In [20] the authors address the outsourcing of Linear Pro-
Paillier’s encryption. For example the letter ’A’ is encoded in
gramming (LP) problems in terms of input/output privacy,
binary as two bits 0b00. Similarly the query is translated to
cheating resilience, and efficiency. The authors propose a
binary encoding. For example finding the letter ’A’ at position
random affine transformation to the variables and matrices of
4 is equivalent to finding an encryption of 0 at position 8
the LP problem and bear the solving of the new problem to the
and an encryption of 0 at position 9 in the encoded sequence.
cloud. The currently practical algorithms for solving LP have
The authors propose an algebraic expression that evaluates to
a complexity superior to O(n3 ). The proposed scheme incurs
an encryption of 0 for each encrypted record in the database
at the client a cost inferior to the LP solving complexity.
matching the query. In other words the result of the query
In [21], harnessing the cloud for solving large-size systems
is the count of 0s among the evaluation results of all the
of linear equations have been proposed and evaluated. They
records. The server sends a permutation of the encrypted
propose two solutions: a basic batch solution and a more
results. The client decrypts and counts the zeros to obtain
secure iterative solution based on additive homomorphic en-
the actual result of the query. The paper announces a query
cryption. The problem of solving Ax = b is represented as
response time of approximately 25 min for a database of 5000
φ = (A, b) and has complexity O(np ) where 2 < p ≤ 3. The
records and a query that consists of 10 SNPs. Using our tool,
basic solution is to hide x using a random vector r and to hide
our experiments show that under the same setting the query
A by multiplying by a random matrix Q. This approach is not
response time is less than one minute.
attractive because the problem transformation requires matrix
C. Privacy-preserving biometric identification multiplication which is computationally as costly as solving
the linear system itself, especially for large matrices. The
Privacy is particularly important for biometric identification
iterative solution is to repeatedly compute: x(k+1) = T.x(k) +c
data, we cannot change our fingerprint or our iris scan the
where A is decomposed into two matrices: A = D + R.
same way we change passwords once they get compromised.
T is computed as: T = −D(−1) .R and c = D(−1) .b. The
Biometric data is noisy and varies from one measurement to
transformed problem is φ = (T, c) of complexity O(L.n2 )
another, which means that even when two biometric measure-
where L is the number of iterations assuming the convergence
ments come from the same person, comparing their crypto-
of the solution. The client hides x by adding a random number:
graphic functions will certainly result in a mis-match. In pri-
y = x + r, encrypts T in O(n2 ) and sends it to the server. The
vacy preserving biometric authentication the server carries out
encryption is costly but it is done one time and is amortizable
the comparison without revealing any biometric information
through the iterations of the protocol. The server computes
that can later be used to impersonate the client. Researchers
E[T.y (k) ] at each iteration and sends it to the client. The client
propose mixing homomorphic encryption with garbled circuits
decrypts this vector and computes y (k+1) at each iteration in
in order to tackle these challenges [19], [9].
O(n) time. The algorithm stops when ky (k+1) − y (k) k < .
D. Image processing
IV. C ONCLUSION AND F UTURE W ORK
Image template matching tries to answer one of the most
basic questions about an image: Is there a certain object In this paper we reviewed homomorphic encryption and its
(”pattern”) in that image? and where? In [22] the authors applications in arising cloud security issues. We present a new
and efficient implementation of Paillier’s additive homomor- [18] P. Paillier. Public-key cryptosystems based on composite degree resid-
phic encryption. Finally we reviewed a subset of applications uosity classes. In Proceedings of the 17th international conference on
Theory and application of cryptographic techniques (EUROCRYPT’99),
of Paillier’s encryption in recent cloud security and privacy pages 223–238, Prague, Czech Republic, May 1999. Springer-Verlag.
research. We don’t claim in any means to be comprehensively [19] A.-R. Sadeghi, T. Schneider, and I. Wehrenberg. Efficient privacy-
addressing homomorphic encryption schemes or their applica- preserving face recognition. In Information, Security and Cryptology–
ICISC 2009, pages 229–244. Springer, 2010.
tions. Still, we hope that this paper is a good starting point [20] C. Wang and K. Ren. Secure and practical outsourcing of linear
for new comers to this exciting research domain. programming in cloud computing. In INFOCOM, 2011 Proceedings
IEEE, pages 820–828, 2011.
[21] C. Wang, K. Ren, J. Wang, K. M. R. Urs, and Q. Wang. Harnessing the
ACKNOWLEDGMENTS Cloud for Securely Solving Large-Scale Systems of Linear Equations. In
31st International Conference on Distributed Computing Systems, pages
This publication was made possible by a grant from the 549–558. IEEE, June 2011.
Qatar National Research Fund; award number NPRP 09-622- [22] S. Wang, M. Nassar, M. Atallah, and Q. Malluhi. Secure and Private
1-090. Its contents are solely the responsibility of the authors Outsourcing of Shape-Based Feature Extraction. In Information and
Communications Security, pages 90–99. Springer International Publish-
and do not necessarily represent the official views of the Qatar ing, 2013.
National Research Fund. [23] S. Wolchok, E. Wustrow, D. Isabel, and J. A. Halderman. Attacking the
washington, dc internet voting system. In Financial Cryptography and
Data Security, pages 114–128. Springer, 2012.
R EFERENCES
[1] A Christmas Present From MIT? — CSO Online. http://www.csoonline.
com/article/2136107/data-protection/a-christmas-present-from-mit-.
html. [Online; accessed 2015-07-24].
[2] An MIT Magic Trick: Computing On Encrypted Databases Without Ever
Decrypting Them - Forbes. http://www.forbes.com/sites/andygreenberg/
2011/12/19/an-mit-magic-trick-computing-on-encrypted-databases-
without-ever-decrypting-them/. [Online; accessed 2015-07-24].
[3] HElib: An Implementation of homomorphic encryption. https://github.
com/shaih/HElib. [Online; accessed 2015-07-24].
[4] Homomorphic Encryption Breakthrough - Schneier on Security. https://
www.schneier.com/blog/archives/2009/07/homomorphic enc.html. [On-
line; accessed 2015-07-24].
[5] IBM takes a big new step in cryptography: practical homomorphic en-
cryption — Naked Security. https://nakedsecurity.sophos.com/2013/05/
05/ibm-takes-big-new-step-in-cryptography/. [Online; accessed 2015-
07-24].
[6] B. Adida. Advances in cryptographic voting systems. PhD thesis,
Massachusetts Institute of Technology, 2006.
[7] J. Benaloh. Dense probabilistic encryption. In Proceedings of the
workshop on selected areas of cryptography, pages 120–128, 1994.
[8] D. Benjamin and M. J. Atallah. Private and Cheating-Free Outsourcing
of Algebraic Computations. In IEEE, editor, 2008 Sixth IEEE Annual
Conference on Privacy Security and Trust, pages 240–245. Ieee, 2008.
[9] M. Blanton and P. Gasti. Secure and efficient protocols for iris and
fingerprint identification. In Computer Security–ESORICS 2011, pages
190–209. Springer, 2011.
[10] D. Boneh, E.-J. Goh, and K. Nissim. Evaluating 2-DNF formulas on
ciphertexts. In Theory of cryptography, pages 325–341. Springer, 2005.
[11] Bruce Schneier. Voting Security. IEEE Security & Privacy. https://www.
schneier.com/essays/archives/2004/07/voting security.html, July/August
2004. [Online; accessed 2015-07-24].
[12] F. Bruekers, S. Katzenbeisser, K. Kursawe, and P. Tuyls. Privacy-
preserving matching of dna profiles. Technical report, 2008.
[13] T. ElGamal. A public key cryptosystem and a signature scheme based on
discrete logarithms. In Advances in cryptology, pages 10–18. Springer,
1985.
[14] S. Goldwasser and S. Micali. Probabilistic encryption & how to play
mental poker keeping secret all partial information. In Proceedings of
the fourteenth annual ACM symposium on Theory of computing - STOC
’82, pages 365–377, New York, New York, USA, May 1982. ACM
Press.
[15] M. Hirt and K. Sako. Efficient receipt-free voting based on homomorphic
encryption. In Advances in Cryptology-EUROCRYPT 2000, pages 539–
556. Springer, 2000.
[16] M. Kantarcioglu, W. Jiang, Y. Liu, and B. Malin. A cryptographic
approach to securely share and query genomic sequences. Information
Technology in Biomedicine, IEEE Transactions on, 12(5):606–617, 2008.
[17] M. Naehrig, K. Lauter, and V. Vaikuntanathan. Can homomorphic
encryption be practical? In Proceedings of the 3rd ACM workshop on
Cloud computing security workshop - CCSW ’11, page 113, New York,
New York, USA, Oct. 2011. ACM Press.

View publication stats