Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression

• Published in: Fast Software Encryption Vol. 9783; pp. 313 - 333
• Main Authors: Canteaut, Anne, Carpov, Sergiu, Fontaine, Caroline, Lepoint, Tancrède, Naya-Plasencia, María, Paillier, Pascal, Sirdey, Renaud
• Format: Book Chapter
• Language: English
• Published: Germany Springer Berlin / Heidelberg 2016; Springer Berlin Heidelberg
• Series: Lecture Notes in Computer Science
• Subjects: Data encryption; Homomorphic cryptography; Stream ciphers; Trivium
• ISBN: 9783662529928; 3662529920
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-662-52993-5_16

In typical applications of homomorphic encryption, the first step consists for Alice to encrypt some plaintext m under Bob’s public key \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathsf {pk}$$\end{document} and to send the ciphertext \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c = \mathsf {HE}_{\mathsf {pk}}(m)$$\end{document} to some third-party evaluator Charlie. This paper specifically considers that first step, i.e. the problem of transmitting c as efficiently as possible from Alice to Charlie. As previously noted, a form of compression is achieved using hybrid encryption. Given a symmetric encryption scheme \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathsf {E}$$\end{document}, Alice picks a random key k and sends a much smaller ciphertext \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c' = (\mathsf {HE}_{\mathsf {pk}}(k), \mathsf {E}_k(m))$$\end{document} that Charlie decompresses homomorphically into the original c using a decryption circuit \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathcal {C}_{{\mathsf {E}^{-1}}}$$\end{document}. In this paper, we revisit that paradigm in light of its concrete implementation constraints; in particular \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathsf {E}$$\end{document} is chosen to be an additive IV-based stream cipher. We investigate the performances offered in this context by Trivium, which belongs to the eSTREAM portfolio, and we also propose a variant with 128-bit security: Kreyvium. We show that Trivium, whose security has been firmly established for over a decade, and the new variant Kreyvium have an excellent performance.