Secret Program Execution in the Cloud ApplyingHomomorphic Encryption

Michael Brenner, Jan Wiebelitz, Gabriele von Voigt and Matthew SmithResearch Center L3S, Hannover, Germany{brenner,wiebelitz,vonvoigt,smith}@l3s.de

Abstract—A growing number of compute and data storagejobs is performed on remote resources. In a cloud environmentthe customer can’t be sure where a particular job is physicallyexecuted and thus cannot rely on the security and confidentialityof the remote resource. A solution for this problem is operating onencrypted functions and encrypted data. This enables a customerto generate a program that can be executed by a third party,without revealing the underlying algorithm or the processed data.This helps securing applications and data in a distributed digitalecosystem.

We present a method to compute a secret program on anuntrusted resource using fully homomorphic encrypted circuits.We sketch an algebraic homomorphism as a cryptographicfoundation and define a sample system architecture for whichwe provide a software implementation. Our concept solves theproblems of encrypted storage access with encrypted addressesand encrypted branching: in contrast to other approaches, likestatic one-pass circuit simulations, our system supports dy-namic parameters and non-linear programs, that render branch-decisions at runtime and cannot be represented in a circuit withhard-wired in-circuit parameters and data. Our implementationcomprises the runtime environment for an encrypted programand an assembler to generate the encrypted machine code.

Index Terms—homomorphic encryption, secure function eval-uation, encrypted program execution, encrypted memory access,encrypted branching, mobile code security

I. INTRODUCTION

The ability to securely delegate computation to a remoteresource provider is becoming a key feature in resourceoutsourcing and cloud computing, where programs and dataare distributed over a wide network of machines and resourcesthat can no longer be controlled by the customer. The customerhas to trust the resource provider, because to date all software -once transmitted to the remote resource provider - is executedin unencrypted form and is entirely under the control of theresource owner. There is a need for a mechanism to operateon encrypted programs and data.

A solution to this is fully homomorphic encryption, whichhas often been called the cryptographer’s holy grail. Oncethe mathematical foundation has been established [1], weneed further procedures and an architecture that enable areasonable application of encrypted additions and multipli-cations on single bits. It’s essentially this, what the latesthomomorphic systems provide. Our goal is the constructionof a generic runtime container that is capable of executingarbitrary encrypted programs, operating on encrypted data.

In this paper we present a method to compute an encryptedprogram on an untrusted resource using fully homomorphic

encrypted circuits. To avoid the reader’s distraction and fora more readable discourse, we introduce a simple algebraichomomorphism as a cryptographic foundation to present ourconcept. We define a sample system architecture for whichwe provide a software implementation. Our concept solves theproblems of encrypted storage access with encrypted addressesand encrypted branching: in contrast to other approaches, likeYao’s Garbled Circuits [2] and several extensions such as [3]and [4], our system supports non-linear programs, dynamicparameters and subsequent provision of encrypted input datathat can easily be written into the encrypted memory. Wesupport programs that render dynamic branch-decisions atruntime, even allow self-modifying code and thus cannot berepresented in a one-pass circuit. We achieve this by applying acipherspace lock up strategy that seals program code and dataentirely in the encrypted domain, which is a closed algebraicsystem. Our concept also solves the problem of both protectingan executing host from malicious code and protecting mobilecode from a malicious host.

The paper structure is as follows: Related work and otherinteresting approaches are discussed in Section II. SectionIII gives a brief overview of homomorphic encryption anddescribes a simple algebraic homomorphism that is used asa reference model for the description of our concept. SectionIV introduces our approach of homomorphically encryptingcircuits using an integer representation. We also introduceprocessor primitives that are described in detail, both inboolean and encryptable integer logic. Section V gives anoverview of different use cases for our system in a distributedor cloud environment. Applying the foundation of encryptedcircuits, we discuss our software implementation and providebasic performance figures in Section VI. Our future workand lessons learned from the implementation are presentedin Section VII. We give a short summary of our contributionsin Section VIII.

II. RELATED WORK

Most existing cryptographic methods aim at securing thetransport and storage of data. With the advent of Cloud Com-puting, new approaches emerged and older ones have beenrevisited. One group of concepts to secure computation is theconstruction of boolean circuits as a function representation.The circuit is then encrypted in some way (actually, in casesof Yao derivatives, the function tables of the boolean gatesare assigned different values) to conceal the original function.

5th IEEE International Conference on Digital Ecosystems and Technologies (IEEE DEST 2011), 31 May -3 June 2011, Daejeon, Korea

ISBN: 978-1-4577-0872-5 (c) 2011 IEEE 114

The contributions of Yao [2], Abadi [5] and Malkhi [3] areexamples for this class of approaches. The goal is to establisha protocol and an execution container that allows for SecureFunction Evaluation of a common function with a secret inputfrom every participating entity. Another field is Mobile CodeProtection (MCP). Two directions can be observed here: A)the protection of code from a malicious host and B) theprotection of a host from malicious, mobile code. MCP baseson policies and reduced access rights of execution containers.An implementation of method A for a Java environment isdescribed in [10], a more general method in [11]. Approachesfor case B often rely on a defined and controllable plat-form and aim in the direction of hardware supported TrustedPlatform Computing [12]. A working secure system, basedon TPC is Turaya [15] which implements secure applicationcompartments to protect the host and to separate applicationsfrom each other. A third class of concepts addresses securityby evaluating encrypted functions and/or data, where mostmethods apply some sort of homomorphic encryption. Sanderand Tschudin [13] [14] have proposed a scheme that is ableto evaluate encrypted polynomials over rings Z/nZ. Lee etal have been working on a method to partially encrypt andevaluate a series of interdependent three-address statements[16]. The US Patent No. 7,296,163 B2, ”Systems and methodsfor encrypted execution of computer programs” [17], tries tosolve the problem of encrypted execution by representing XORand NOT functions as matrix operations and by distributingthe calculation over a number of hosts, the results of whichhave to be merged by a control computer.

III. HOMOMORPHIC ENCRYPTION

A homomorphism is a structure-preserving transformationbetween two sets, where an operation on two members in thefirst set is preserved in the second set on the correspondingmembers.

Let P and C be sets with members p1, p2 ∈ P , t atransformation between the two sets with its reverse functiont′ and an operation ⊕. The system is a homomorphism, if∀p1, p2 ∈ P, (p1 ⊕ p2) = t′(t(p1) ⊕ t(p2)). If there are twofunctions ⊕ and ⊗, such that ∀p1, p2 ∈ P, (p1 ⊕ p2) =t′(t(p1) ⊕ t(p2)), (p1 ⊗ p2) = t′(t(p1) ⊗ t(p2)), we callthis an algebraic homomorphism [6]. The obvious practicalimplication is the possibility to transform the two membersp1 and p2 into the range of C, thus applying some sort ofencryption, and having the operations ⊕ and ⊗ performed bya third party. The result can then be decrypted back into therange of P .

An algebraically homomorphic crypto-system can be de-scribed as a 6-tuple H1 = {P,C, t, t′,⊕,⊗} where P and Cdenote the plain-text space and the cipher-text space, respec-tively, whereas t and t′ denote the encryption- and decryption-functions. ⊕ and ⊗ tag the two algebraic operations. Manydifferent, yet limited homomorphic encryption schemes havebeen found. An overview of homomorphic encryption schemesthat base on a single algebraic operation or a limited com-bination of two, is given in [6]. Advanced homomorphic

schemes, such as [7] and [8], base on Gentry’s approach ofbootstrapping a fully homomorphic from a somewhat homo-morphic system [1] and provide addition and multiplicationplus a normalization procedure that is supposed to allowunlimited chaining of operations in cipher-text space. Thistechnique of reducing noise in the cipher-text space requiresfor an additional formal descriptive item, extending H1 toH2 = {P,C, t, t′,⊕,⊗, r}, introducing a reduction-functionr, which takes a noisy cipher-text and transforms it into anequivalent with reduced noise.

Before we enter the detailed description of our concept,we want to demonstrate a very simple but incomplete (detailsbelow), algebraically homomorphic encryption scheme. How-ever, our concept works with any encryption scheme in thisclass but this particular scheme is intended to give an idea ofwhat an encrypted circuit representation, that we introduce inSection IV, may look like.

Let p ∈ N be a large prime integer as a secret key andlet the operands a and b be two arbitrary integers with(a, b) < p ∈ N. Then we can perform an encryption of a asa′ = a+ (r ∗ p) with r ∈ N being a large random integer. Thecleartext a can be calculated as the remainder of a′ mod p. Wecan then perform an encrypted addition (a′+b′) which extendsto (a′+b′) = (a+(r1∗p))+(b+(r2∗p)) and a+b+(r1+r2)∗pand when decrypted mod p yields (a+ b). The multiplicationis performed as (a′ ∗ b′) = (a+ (r1 ∗ p)) ∗ (b+ (r2 ∗ p)) anda∗b+a∗(r2∗p)+b∗(r1∗p)+(r1∗r2)∗p∗p mod p = (a∗b).

Example 1. a = 5, b = 4, p = 23, r1 = 6, r2 = 3;a′ = 5 + (6 ∗ 23) = 143; b′ = 4 + (3 ∗ 23) = 73;a′ + b′ = 216, 216 mod 23 = 9;a′ ∗ b′ = 10439, 10439 mod 23 = 20

�

It is easy to prove that this scheme is incomplete, becauseif the result of an operation between the two operands aand b exceeds the prime modulus p, the decryption fails. Sostarting with two clean plain-text items, the intermediate resultgrows towards the modulus with every operation and in thissense is polluted. To compensate for this, a fully homomorphicencryption scheme must define a normalization (Gentry callsthis a reencryption procedure) of the intermediate result. Inthe case of the system shown here, a normalization would beany function that can minimize the remainder mod p of theresult while preserving the parity mod p. Gentry addressesthis problem by generating a public key that contains adecryption hint. This hint allows to homomorphically decryptthe intermediate result in the encrypted domain, which meansthat the plain-text of the argument remains unknown. With theplain-text at hand in cipher-space, it is possible to reencryptthe plain-text which generates a new cipher of the plain-textwith reduced noise.

IV. CIRCUIT ENCRYPTION

To encrypt a circuit we encode a bit in a cipher text’sproperty of having an even or odd remainder modulo a secret

5th IEEE International Conference on Digital Ecosystems and Technologies (IEEE DEST 2011), 31 May -3 June 2011, Daejeon, Korea

ISBN: 978-1-4577-0872-5 (c) 2011 IEEE 115

prime key. This can be easily reduced to a boolean algebra.

Definition 1. In boolean expressions the operator ⊕ denotesthe XOR operation.

To model circuits, using the encryption scheme, introducedin Section III, we will be mapping 0-bits to even integers(resp. even remainders modulo a prime key) and 1-bits to oddintegers. XOR-operations will be represented by the integeraddition, while the integer multiplication represents a booleanAND-operation. This allows us to simulate chains of booleanoperations by means of simple integer arithmetics.

Example 2. The boolean term r = (a ⊕ b) ⊕ (a ∧ b),which results in a boolean OR-operation, can be expressed ininteger arithmetics as r = (a + b) + (a ∗ b), assuming a andb being even or odd integer representations of bit values.

�

Definition 2. We will be using the notation ◦ for thecomposite OR-operation in integer arithmetics which isdefined as a ◦ b = (a+ b) + (a ∗ b).

A. Encrypted Memory Access

A basic circuit that implements read-access to memory isdepicted in Figure 1. In that diagram, the memory values aredrawn from static memory cells without further logic from them-wires, which is a notation that closely relates to a softwaresimulation. The output bit of this single bit memory-columnwith 2 address lines can be calculated as c = (¬a0 ∧ ¬a1 ∧m0) ∨ (a0 ∧ ¬a1 ∧m1) ∨ (¬a0 ∧ a1 ∧m2) ∨ (a0 ∧ a1 ∧m3).

AND

OR

AND

AND

AND

m0..3 a0..1

c

Fig. 1. Basic memory circuit

By extending this function to the required number ofaddress lines and memory columns, we are able to model amemory-circuit of any size. Now we transform the booleangate logic for this memory circuit to integer arithmetic, whichresults in the following expression (note Example 2 andDefinition 2):

row0 = ((a0 + 1) ∗ (a1 + 1) ∗m0),row1 = (a0 ∗ (a1 + 1) ∗m1),row2 = ((a0 + 1) ∗ a1 ∗m2),row3 = (a0 ∗ a1 ∗m3),

c = row0 ◦ row1 ◦ row2 ◦ row3

Example 3. Let m0..m3 be the random bit memory column{1, 0, 1, 0} represented by the integer sequence {5, 4, 9, 6}and let a0..a1 be the sequence {8, 3} representing the decimaladdress 2 in binary form. Then the memory access describedin integer arithmetic can be calculated as follows (pleaseremember, that we are operating on a simplified representationmodel with a constant random r of 0):

row0 = ((8 + 1) ∗ (3 + 1) ∗ 5) = 180row1 = (8 ∗ (3 + 1) ∗ 4) = 128row2 = ((8 + 1) ∗ 3 ∗ 9) = 243row3 = (8 ∗ 3 ∗ 6) = 144r = 180 ◦ 128 ◦ 243 ◦ 144 = 826087619 =̂ 1

Performing access with a0..a1 = {5, 8}, representingthe decimal address 1 in binary form yields the followingcalculation:

row0 = ((5 + 1) ∗ (8 + 1) ∗ 5) = 270row1 = (5 ∗ (8 + 1) ∗ 4) = 180row2 = ((5 + 1) ∗ 8 ∗ 9) = 432row3 = (5 ∗ 8 ∗ 6) = 240c = 270 ◦ 180 ◦ 432 ◦ 240 = 5118619002 =̂ 0

�

We are able to access encrypted memory providing anencrypted address to the circuit such that the access procedurereveals neither memory address, nor memory content. Addi-tionally we can observe that accessing memory with a differentrepresentation of an equivalent plain-text address results in adifferent representation of the accessed memory content. Alsonote the fact that we always have to solve the entire circuit,since we have no possibility to decide wether a particularrow holds an encrypted 1 and therefore the calculation of thefollowing row results can be omitted.

To assign a memory cell a new value, this new valuerepresentation is passed as i (input) to the write function.The writing-procedure then iterates over all memory rows andgenerates the row-select signal (which is an analogy to theselect signal used in memory hardware) row as shown inExample 3 for row0 to row3. For each row we generate thenew cell value as mnew = (row ∧ i) ∨ (¬row ∧m).

This assigns the new value if the row is selected andthe old value m otherwise. Note again, that even if notselected, every cell is assigned a new equivalent of the oldrepresentation. To implicitly decide between memory read-and write-access, we introduce an encrypted write-signalanalogy that indicates the direction of the data flow. Implicitdecision means, that there is, of course, no true decision,because the new value is a logical-numeric calculation overall given target bit representations (memory cells) and theselecting bit representations (address lines). The full-fledgedbi-directional access function for a single bit column in theaddress-space of A reads as follows:

5th IEEE International Conference on Digital Ecosystems and Technologies (IEEE DEST 2011), 31 May -3 June 2011, Daejeon, Korea

ISBN: 978-1-4577-0872-5 (c) 2011 IEEE 116

∀x ∈ A : mx = (rowx ∧ write ∧ i) ∨ (rowx ∧ ¬write ∧mx) ∨ (¬rowx ∧mx), c =

∨(rowx ∧mx);x ∈ A, |x| = 1

Since the result of the access function is a logical combi-nation of all memory cells, the complexity of memory access,which depends of the circuit size, is an almost linear function.The number of boolean gates that have to be processedin order to determine r during a read access is given asf(size) = (size ∗ ¬) + (2 ∗ size ∗ ∧) + ((size− 1) ∗ ∨).

B. Encrypted Arithmetic-Logical Unit

To model an encrypted ALU, we apply a similar techniqueas we use to implement memory access. The ALU essen-tially consists of a couple of simple circuits that are appliedconstantly to the input signals a and b and, in every cycle,produce the operation-specific output. The command-switcho0..o1, which takes an opcode selects, the appropriate functionresult for the output wire and is in this sense equivalent tothe address-selection in the memory circuit. Assuming thecommand-encoding for the selector lines {o0, o1} as{0, 0} =̂ add, {1, 0} =̂ and, {0, 1} =̂ xor, {1, 1} =̂ not

and the following series of equations which model the ALUfunctions in boolean logiccadd = fulladder(a, b), cand = a∧b, cxor = a ⊕ b, cnot =¬a

then this renders the result of the particular operation,denoted by o0, o1:c = (cadd ∧ (¬o0 ∧ ¬o1))∨, (cand ∧ (o0 ∧ ¬o1))∨, (cxor ∧(¬o0 ∧ o1))∨, (cnot ∧ (o0 ∧ o1))

Because the ALU function selection and memory accessare comparable, we are not providing further details on ALUcircuit modeling at this point. The transformation into integerarithmetic can be directly derived from the memory model.

C. Branching

Branching is the operation type that has the program counteras target register. We have unconditional branches (jumps) andthose that depend on the system’s state. An unconditional jumpis performed by copying the target address, provided by thejump command, to the program counter. The ability to performdynamic branches, is one of the advantages of our concept,compared to other approaches. Actually, most conditionalbranches are directly influenced by a system state indicator, aflag. Flags offer the opportunity to steer the program flowaccording to events, like a comparison result (i.e. equalityor zero) or a special arithmetic case (i.e. the carry value orthe sign of an integer). In the following we assume a CPUwordsize of η.

Let F be the set of flags, PC the program counter register,DR the data register and CR the command register. Theselatter two registers are loaded during the CPU fetch cyclewith an operation code and an operand value. The functions

jmp(CR), bcc(CR) and bz(CR) take the command registeras input and return true (an odd representation) if thecommand register contains the respective command. jmpyields true if the loaded operation in the command register isan unconditional jump, bcc is true for a branch-if-carry-clearoperation and bz is true for a branch-if-zero operation. Thenext address to be assigned to the PC, following the programflow, is then

∀x : x ∈ {0..(η − 1)},PCx = (jmp(CR)∧DRx)∨ (bcc(CR)∧DRx ∧¬Fcarry)∨(bz(CR) ∧ DRx ∧ Fzero) ∨ (¬jmp(CR) ∧ ¬bcc(CR) ∧¬bz(CR) ∧ (PC + 1)x).

This applies a selection technique similar to the memoryaccess function above. In this case, the memory values arereplaced by the two possible new addresses and the addressselectors are replaced by the command functions jmp, bcc andbz.

Termination

Due to the structure and the mathematical isolation of theprocessing model, the host has no possibility to decide, ifand when the execution of the encrypted program ends. Theencrypted program, being locked up in the cipher-space, canneither generate any unencrypted signal that can be evaluatedfrom outside the container, nor can it manipulate a resource(memory locations or flags) that can be distinguished fromother encrypted resources from the outside. The encryptedprogram has no influence on the execution timing and iscompletely passive. To practically address this particular ter-mination problem, we propose the definition of the numberof cycles, that have to be performed to safely execute the en-crypted program. A proof under what conditions this problemcan be solved remains to be given.

V. CLOUD APPLICATIONS

One of the major problems in Cloud Computing is thefact that the security and confidentiality of a remote resourcecannot be technically validated by the customer. As a con-sequence, the security aspect is still subject to contracts andtrust. In contrast to the execution of programs, the transmissionof data can be well protected by different cryptographictechniques. Asymmetric methods can satisfy a number ofrequirements in the field of encrypted communication, suchas confidentiality, integrity and authenticity. The system thatwe present in this paper can act as a basis for protocols andmethods that strengthen the security of program executionin distributed environments. In this Section we describe fourexample use cases.

A. Delegation

The delegation of computation to a remote resource isthe most obvious use case for our system. Many differentdelegation scenarios exist today. They range from the provisionof machines and platforms through resource providers to

5th IEEE International Conference on Digital Ecosystems and Technologies (IEEE DEST 2011), 31 May -3 June 2011, Daejeon, Korea

ISBN: 978-1-4577-0872-5 (c) 2011 IEEE 117

remote data storage and remote (web-) desktop applications,like Google Apps, the Zoho office suite and others. What-ever granularity any of these services have, they all sharethe common danger of being physically located outside thejurisdiction of the customer. To address this problem, thecustomer generates an encrypted version of his software anddata and transmits the resulting aggregate to the resource. Theprogram included in the encrypted package is then executed onthe remote resource in encrypted form and after the programis finished, the entire encrypted package is transferred back tothe customer, who recovers the result by decrypting designatedparts of the package.

B. Remote Search

A desirable feature of a search engine is an encryptedsearch function. The customer provides an encrypted searchargument to the search engine and receives an encrypted result.The search engine itself can neither determine argument norresult of the search operation. The encrypted search can beimplemented in different ways, concerning the encryption ofthe database that contains the data to be searched. One optionis the encryption of the entire database with the customer’skey, which implies that the data is only accessible by onecustomer. Another option is an encrypted search function thathandles plaintext input data. The search engine subsequentlyinserts data into the search function and thus generates theencrypted result which is then transmitted to the customer.

C. Mobile Code

A special case of delegation is mobile code, as found indifferent software agent systems. In our case, mobile codeis an encrypted aggregate of software and data that can bepassed from one resource to another. The purpose mightbe the collection of data, if the customer (the informationrecipient) is only interested in the final result, after differentresources have provided their input to the aggregate, or afterthe aggregate has been circulating for a defined period of time.Each information provider inserts its data and executes theencrypted import function which calculates a new intermediateresult and disguises the last input. On the one hand theintermediate results cannot be evaluated by the informationproviders, on the other hand the information recipient, thoughbeing able to decrypt the final result, cannot evaluate thedifferent input data.

D. Multi-Party Computation

The classic multi-party (MP) computation describes a sce-nario where two parties want to execute a function with secretinput data on each side and a common output. This can beachieved with our system as sketched in the Mobile Codeuse case. In the MP scenario all participants act as bothinformation provider and information recipient. An advantageof our system over the approach of the garbled circuits [2]is that the garbled circuits require much more communicationbetween the interacting parties to generate and exchange thefunction representation.

VI. IMPLEMENTATION

We provide prototype-implementations of our concept inJava and C. This Section describes the software-architectureand the system properties. We also want to show that becauseof its simple design it can be easily integrated into existingapplications for rapid prototyping or be extended to meetspecial requirements.

A. Architecture

The layered software architecture of our system is depictedin Figure 2. We use a Java VM as a base, upon which we builtthe execution engine with a dependency on an implementationof homomorphic encryption as a library.

Cryptographic Library

Operating System / Java VM

Encrypted Program

Execution Engine

Fig. 2. Software Layers

The encrypted program itself is independent of the particulartype of encryption, as long as the assembler module and theexecution engine use the same encryption library. To enablea pluggable architecture, we have defined a narrow interfacethat ensures interoperability with any suitable and availableencryption library. The library has to provide appropriatefunctions like encode/decode/recode and the two arithmeticfunctions.The encode-function takes an integer and generates an arrayof encrypted bit representations depending on the secret key.The decode-function takes an array of encrypted bit repre-sentations and decodes these, applying the secret key. Therecode-function is the normalization-procedure and takes apublic key to produce a representation of an encrypted bitthat contains less noise. The modular system design allowsfor quick replacement of the crypto-library, in case a fasterimplementation becomes available.

B. System Properties

The prototype-implementations apply a memory wordlength of 13 bits in little-endian format. A word containseight bits of data in the data compartment (bits 0 to 7)and a five bits wide command (bits 8-12). This enables oursample processor architecture that bases on a memory-accessprinciple, where command and data can be fetched in thesame instruction cycle. If a memory location is written to,only the data compartment is modified, whereas the commandcompartment remains untouched. The memory circuit containsa total of 256 words that may be randomly accessed.

The instruction set implements the two addressing modesimmediate and direct with commands in different classes likememory access (load, store), program flow (comparison, jumps

5th IEEE International Conference on Digital Ecosystems and Technologies (IEEE DEST 2011), 31 May -3 June 2011, Daejeon, Korea

ISBN: 978-1-4577-0872-5 (c) 2011 IEEE 118

and branches), logic functions (and, or, xor) and arithmeticfunctions (add, rotate, shift). Immediately addressed operandsare contained in the command-word, while directly addressedoperands are described by their memory location. The refer-ence Java-implementation contains a symbolic assembler, thatis capable of generating encrypted machine code based on acryptographic library, as depicted in the architectural overview.

C. Test Setup

Our test suite consists of a 2.4GHz Intel Core 2 Duo with4GB of 667MHz DDR2 SDRAM platform and Java 5. Theaverage cycle duration on our test machine is 3ms. A cycleprocesses 129397 gates (68933 AND, 44988 XOR, 15476NOT), the C implementation is slightly faster. Since these fig-ures describe the simplified crypto-system, they only containthe plain time consumption of the circuit evaluation. To be ableto make a statement about a production level configuration,where a sound encryption scheme is applied, these figuresmay serve as a basis for a rough runtime estimation of theprogram itself.

VII. OPEN ISSUES AND FUTURE WORK

We have implemented the Smart-Gentry crypto system [8]and are currently integrating it into our approach. Performancefigures should be available soon. One of the main issues ofour concept is the termination problem. To solve this problem,a crypto-system that can selectively decrypt information isrequired. There are a number of possible applications forour concept, including a couple of older problems, as shownin Section V. The environment presented in this paper haslimited capabilities and a dependency between memorysize and performance, which makes it primarily suitablefor small problem sizes. By extending the capabilities ofour concept to interact with the host system, we will beable to perform calculations on portions of secret data orsecret algorithms, that are part of a larger system. Currently,we are able to inject data into the encrypted environment,which is sufficient to receive process data from outside thecipher-space. However, this induces further problems, like thecorrectness and consistency of the encrypted code and data.An obvious field of application is Cloud Computing, wheresmall- and medium-scale compute jobs are performed thathave individual privacy demands. The establishment of anappropriate system and application architecture will be the keyto integrate our concept into existing cloud applications andenvironments, to face new security requirements of mobilecode and distributed applications in digital ecosystems.

VIII. SUMMARY

In this paper we presented a method to perform the exe-cution of encrypted programs operating on encrypted data. Incontrast to other solutions, the code as well as the processeddata is held entirely in the cipher-space, but still remainsdynamic and can be provided with multiple process dataafter having been transferred to the executing host. We have

described a simple homomorphic encryption scheme as areference model and developed a method to represent circuitsby means of homomorphically encrypted integer arithmetics.Applying the basic logic function representations, we sketchedhow to build different microprocessor primitives like memory-access logic and arithmetic operations. We then developed asimple CPU and system model and presented the referenceimplementation of our model. We provided basic performancefigures that help to establish a rough runtime estimationfor encrypted programs. We discussed different example usecases for our concept in the area of distributed computingand sketched how the mentioned problems can be addressedapplying our system.

REFERENCES

[1] Craig Gentry, Fully Homomorphic Encryption Using Ideal Lattices,STOC ’09: Proceedings of the 41st annual ACM symposium on Theoryof computing, DOI:10.1145/1536414.1536440

[2] Andrew C. Yao, How to Generate and Exchange Secrets, 27th FOCS,pages 162167, 1986

[3] Dahlia Malkhi, Noam Nisan et. al.,Fairplay—a secure two-party compu-tation system, SSYM’04: Proceedings of the 13th conference on USENIXSecurity Symposium

[4] Vladimir Kolesnikov, Ahmad-Reza Sadeghi, Thomas Schneider, How toCombine Homomorphic Encryption and Garbled Circuits - Improved Cir-cuits and Computing the Minimum Distance Efficiently, 1st InternationalWorkshop on Signal Processing in the EncryptEd Domain (SPEED’09)

[5] Martin Abadi and Joan Feigenbaum, Secure circuit evaluation, SpringerJournal of Cryptology Vol. 2 No. 1 1990, DOI:10.1007/BF02252866

[6] Caroline Fontaine and Fabien Galand, A Survey of Homomorphic En-cryption forNonspecialists, EGEE’09, EURASIP Journal on InformationSecurity Volume 2007, Article ID 13801, DOI:10.1155/2007/13801

[7] Marten van Dijk, Craig Gentry, Shai Halevi and Vinod Vaikuntanathan,Fully Homomorphic Encryption over the Integers, Advances in Cryptol-ogy EUROCRYPT 2010, Springer DOI:10.1007/978-3-642-13190-5

[8] Nigel P. Smart and Frederik Vercauteren, Fully Homomorphic Encryptionwith Relatively Small Key and Ciphertext Sizes, Public Key CryptographyPKC 2010, Springer 10.1007/978-3-642-13013-7

[9] John L. Hennessy, David A. Patterson, Computer Architecture. A Quan-titative Approach, Academic Press; 4th rev. ed. 2006, ISBN 978-0123704900

[10] Dahlia Malkhi, Michael K. Reiter and Aviel D. Rubin, Secure Executionof Java Applets using a Remote Playground, IEEE Symposium onSecurity and Privacy 1998, IEEE DOI:10.1109/SECPRI.1998.674822

[11] Vladimir Kiriansky, Derek Bruening and Saman Amarasinghe, SecureExecution Via Program Shepherding, In Proceedings of the 11th USENIXSecurity Symposium (August 05 - 09, 2002). D. Boneh, Ed. USENIXAssociation, Berkeley, CA, 191-206.

[12] The Trusted Computing Group TCG, Trusted Platform Computing, onthe web http://www.trustedcomputinggroup.org

[13] Tomas Sander, Christian F. Tschudin, Protecting Mobile Agents AgainstMalicious Hosts, In Giovanni Vigna, editor, Mobile Agent Security, pages4460. Springer-Verlag: Heidelberg, Germany, 1998.

[14] Tomas Sander, Christian F. Tschudin, Towards Mobile Cryptography,Technical report, International Computer Science Institute, Berkeley,1997.

[15] European Multilaterally Secure Computing Base, Turaya, on the webhttp://www.escb.com

[16] Hyungjick Lee, Jim Alves-Foss and Scott Harrison, Securing MobileAgents Through Evaluation of Encrypted Functions, Technical report,Center for Secure and Dependable Software Computer Science Depart-ment, University of Idaho, 2001.

[17] George Cybenko, System And Methods For Encrypted Execution OfComputer Programs, United States Patent No. 7,296,163 B2, Nov. 13,2007

5th IEEE International Conference on Digital Ecosystems and Technologies (IEEE DEST 2011), 31 May -3 June 2011, Daejeon, Korea

ISBN: 978-1-4577-0872-5 (c) 2011 IEEE 119