by Brent Carmer and David W. Archer, PhD

Our team at Galois, Inc. is interested in making secure computation practical. Much of our secure computation work has focused on linear secret sharing (LSS, a form of multi-party computation) and the platform we’ve built on that technology. However, we’ve also done a fair bit of comparison between LSS, garbled circuit approaches, and homomorphic encryption (HE). We recently noticed that Shai Halevi and Victor Shoup’s open source homomorphic encryption library HElib was just waiting for someone to implement some interesting block ciphers. In this post, we talk about our experience implementing and evaluating performance of the SIMON block cipher in HElib. Our implementation processes 1800 64b blocks in parallel, achieving a rate of 3.1 seconds per block.

In homomorphic encryption (HE), a user encrypts data and sends it to a single untrusted server. That server, which does not hold the encryption key, computes on the encrypted data and returns an encrypted answer to the user. Each step in HE computation accumulates noise that eventually makes the plaintext unrecoverable unless extra time-consuming steps (informally called bootstrapping) are taken. When these steps are not taken, HE cryptosystems are typically called somewhat homomorphic (SHE for short). When bootstrapping is used, more complex computations can be performed. Such cryptosystems are typically called fully homomorphic (FHE for short).

Unfortunately, making HE practical is challenging. HE is very much (many orders of magnitude) slower than computing the same result “in the clear”. Typical HE ciphertexts are also far (thousands to millions of times) bigger than the plaintexts they represent. Even with such challenges, the promise of HE is compelling, particularly where mobile devices may have insufficient computational power, cloud-based servers may be readily used to outsource such computation, and users are not prepared to trust those servers with their (plaintext) data.

As of this posting, HElib as available on github falls into the SHE category. Shai and Victor have indicated that they plan to make bootstrapping (and thus FHE) available in a few weeks. To gain experience using HElib, we implemented a member of the SIMON block cipher family. SIMON is a new family of lightweight block ciphers released by the NSA in 2013. We implemented SIMON with 64 bit block size and 128 bit key size. The SIMON specification calls for 44 processing “rounds” in SIMON 64/128, which we were able to implement using the current (somewhat homomorphic) version of HElib.

Key portions of our SIMON implementation are shown below encoded in Cryptol, a domain-specific language for expressing cryptographic algorithms developed by Galois and widely used in some government agencies. Cryptol is designed to describe cryptographic algorithms at a level of abstraction very close to mathematical specification, to minimize the likelihood of error when translating from specification to code. The Cryptol tool suite supports automated verification for some target languages that implementation matches a Cryptol description. The Cryptol suite can also automatically generate certain implementations from Cryptol descriptions. Using Cryptol’s support for SAT solvers, we have proven some properties of our SIMON implementation: absence of weak keys, injectivity of key expansion, and identity of decryption composed with encryption.